x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:50:00 executing program 1: syz_open_dev$sndseq(0x0, 0x0, 0x0) mkdir(0x0, 0x0) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, &(0x7f00000009c0)}) [ 854.740791][T21905] binder: 21903:21905 ioctl c018620b 0 returned -14 [ 854.744516][T21906] binder: 21904:21906 ioctl c018620b 0 returned -14 [ 854.748165][T21905] binder: 21905 RLIMIT_NICE not set [ 854.755072][T21906] binder: 21906 RLIMIT_NICE not set 07:50:00 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:00 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:01 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:01 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:01 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 855.354115][T21917] binder: 21916:21917 ioctl c018620b 0 returned -14 [ 855.369005][T21917] binder: 21917 RLIMIT_NICE not set 07:50:01 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 855.403157][T21921] binder: 21920:21921 ioctl c018620b 0 returned -14 [ 855.414698][T21922] binder_thread_write: 21 callbacks suppressed [ 855.414711][T21922] binder: 21916:21922 BC_INCREFS_DONE u0000000000000000 no match [ 855.449226][T21921] binder: 21921 RLIMIT_NICE not set [ 855.454046][T21927] binder: 21926:21927 ioctl c018620b 0 returned -14 [ 855.475565][T21927] binder: 21927 RLIMIT_NICE not set [ 855.495796][T21928] binder: BINDER_SET_CONTEXT_MGR already set 07:50:01 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:01 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 855.501820][T21928] binder: 21920:21928 ioctl 40046207 0 returned -16 [ 855.511114][T21928] binder: 21920:21928 BC_INCREFS_DONE u0000000000000000 no match [ 855.520980][T21928] binder: 21920:21928 Release 1 refcount change on invalid ref 1 ret -22 [ 855.530228][T21930] binder_transaction: 25 callbacks suppressed [ 855.530244][T21930] binder: 21926:21930 transaction failed 29189/-22, size 24-8 line 2994 07:50:01 executing program 1: syz_open_dev$sndseq(0x0, 0x0, 0x0) mkdir(0x0, 0x0) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, &(0x7f00000009c0)}) [ 855.572195][T21930] binder: 21926:21930 BC_INCREFS_DONE u0000000000000000 no match [ 855.587458][T21934] binder: 21933:21934 ioctl c018620b 0 returned -14 [ 855.617134][T21934] binder: 21934 RLIMIT_NICE not set [ 855.618724][T21936] binder: 21935:21936 ioctl c018620b 0 returned -14 [ 855.665234][T21937] binder: 21933:21937 transaction failed 29189/-22, size 24-8 line 2994 [ 855.674287][T21937] binder: 21933:21937 BC_INCREFS_DONE u0000000000000000 no match 07:50:01 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:01 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 856.191996][T21942] binder: 21941:21942 ioctl c018620b 0 returned -14 07:50:02 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 856.249303][T21945] binder: 21944:21945 ioctl c018620b 0 returned -14 [ 856.261478][T21946] binder: 21941:21946 ioctl c0306201 0 returned -14 [ 856.268599][T21946] binder: 21941:21946 BC_INCREFS_DONE u0000000000000000 no match [ 856.311845][T21950] binder: BINDER_SET_CONTEXT_MGR already set [ 856.318321][T21950] binder: 21944:21950 ioctl 40046207 0 returned -16 [ 856.321326][T21949] binder: 21948:21949 ioctl c018620b 0 returned -14 [ 856.326079][T21950] binder: 21944:21950 BC_INCREFS_DONE u0000000000000000 no match [ 856.340640][T21950] binder: 21944:21950 Release 1 refcount change on invalid ref 1 ret -22 07:50:02 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:02 executing program 1: syz_open_dev$sndseq(0x0, 0x0, 0x0) mkdir(0x0, 0x0) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, 0x0}) [ 856.363522][T31463] binder: release 21931:21938 transaction 1843 out, still active [ 856.374572][T31463] binder: send failed reply for transaction 1843, target dead [ 856.382071][T31463] binder: send failed reply for transaction 1846 to 21935:21939 [ 856.389960][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 856.401160][T21951] binder: 21948:21951 transaction failed 29189/-22, size 24-8 line 2994 07:50:02 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 856.432731][T21951] binder: 21948:21951 BC_INCREFS_DONE u0000000000000000 no match [ 856.469537][T21957] binder: 21956:21957 ioctl c018620b 0 returned -14 [ 856.477175][T21958] binder: 21955:21958 ioctl c018620b 0 returned -14 07:50:02 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 857.025918][T21964] binder: 21963:21964 ioctl c018620b 0 returned -14 07:50:02 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 857.085568][T21968] binder: 21963:21968 ioctl c0306201 0 returned -14 [ 857.092702][T21967] binder: 21966:21967 ioctl c018620b 0 returned -14 [ 857.093017][T21968] binder: 21963:21968 BC_INCREFS_DONE u0000000000000000 no match [ 857.146725][T21971] binder: BINDER_SET_CONTEXT_MGR already set [ 857.153030][T21971] binder: 21966:21971 ioctl 40046207 0 returned -16 [ 857.160468][T21971] binder: 21966:21971 BC_INCREFS_DONE u0000000000000000 no match [ 857.169520][T21971] binder: 21966:21971 Release 1 refcount change on invalid ref 1 ret -22 [ 857.178803][T21972] binder: 21970:21972 ioctl c018620b 0 returned -14 07:50:02 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:03 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(0x0) [ 857.231692][T21973] binder: 21970:21973 BC_INCREFS_DONE u0000000000000000 no match [ 857.253463][T31463] binder: release 21953:21959 transaction 1851 out, still active [ 857.261986][T31463] binder: send failed reply for transaction 1851, target dead [ 857.269723][T31463] binder: send failed reply for transaction 1854 to 21956:21960 07:50:03 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 857.303437][T31463] binder: send failed reply for transaction 1857 to 21955:21961 [ 857.311253][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 857.328187][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 857.335696][T21977] binder: 21975:21977 ioctl c018620b 0 returned -14 [ 857.353809][ C1] net_ratelimit: 20 callbacks suppressed [ 857.353826][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 857.365805][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 857.372610][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 857.378827][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 857.385338][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 857.388876][T21981] binder: 21975:21981 transaction failed 29189/-22, size 24-8 line 2994 [ 857.393077][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:50:03 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 857.545981][T21986] binder: BINDER_SET_CONTEXT_MGR already set [ 857.554500][T21986] binder: 21984:21986 ioctl 40046207 0 returned -16 07:50:03 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 857.860818][T21989] binder: 21988:21989 ioctl c018620b 0 returned -14 07:50:03 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 857.913708][T21992] binder: 21988:21992 ioctl c0306201 0 returned -14 [ 857.924107][T21993] binder: 21991:21993 ioctl c018620b 0 returned -14 [ 857.984430][T21995] binder: BINDER_SET_CONTEXT_MGR already set [ 857.990477][T21995] binder: 21991:21995 ioctl 40046207 0 returned -16 [ 858.002478][T21995] binder: 21991:21995 ioctl c0306201 0 returned -14 [ 858.010394][T21997] binder: 21996:21997 ioctl c018620b 0 returned -14 [ 858.017833][T21995] binder: 21991:21995 Release 1 refcount change on invalid ref 1 ret -22 [ 858.073437][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 858.079341][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 858.085178][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 858.090915][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:50:03 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(0x0) 07:50:03 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 858.143443][ T7675] binder: release 21976:21982 transaction 1863 out, still active [ 858.156101][ T7675] binder: send failed reply for transaction 1863, target dead [ 858.163867][ T7675] binder: send failed reply for transaction 1866 to 21984:21986 [ 858.180109][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 07:50:03 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 858.194296][T22001] binder: 22000:22001 ioctl c018620b 0 returned -14 [ 858.270817][T22006] binder: 22000:22006 transaction failed 29189/-22, size 24-8 line 2994 [ 858.303708][T22009] binder: BINDER_SET_CONTEXT_MGR already set [ 858.309817][T22009] binder: 22004:22009 ioctl 40046207 0 returned -16 07:50:04 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:04 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 858.684958][T22012] binder: 22010:22012 ioctl c018620b 0 returned -14 [ 858.754442][T22016] binder: 22015:22016 ioctl c018620b 0 returned -14 07:50:04 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 858.814730][T22017] binder: BINDER_SET_CONTEXT_MGR already set [ 858.820755][T22017] binder: 22015:22017 ioctl 40046207 0 returned -16 [ 858.828641][T22017] binder: 22015:22017 ioctl c0306201 0 returned -14 [ 858.840504][T22017] binder: 22015:22017 Release 1 refcount change on invalid ref 1 ret -22 [ 858.858718][T22020] binder: 22019:22020 ioctl c018620b 0 returned -14 07:50:04 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(0x0) 07:50:04 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:04 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 859.011616][T22023] binder: 22022:22023 ioctl c018620b 0 returned -14 [ 859.013820][T31463] binder: release 22002:22007 transaction 1871 out, still active [ 859.032139][ T7675] binder: send failed reply for transaction 1871, target dead [ 859.042033][ T7675] binder: send failed reply for transaction 1874 to 22004:22009 [ 859.064702][T22025] binder: 22022:22025 transaction failed 29189/-22, size 24-8 line 2994 [ 859.069058][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 [ 859.092297][T22027] binder: 22026:22027 ioctl c018620b 0 returned -14 [ 859.163519][T22032] binder: BINDER_SET_CONTEXT_MGR already set [ 859.169668][T22032] binder: 22028:22032 ioctl 40046207 0 returned -16 07:50:05 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 859.531014][T22035] binder: 22034:22035 ioctl c018620b 0 returned -14 [ 859.541242][T22035] binder_set_nice: 27 callbacks suppressed [ 859.541249][T22035] binder: 22035 RLIMIT_NICE not set [ 859.581789][T22038] binder: 22037:22038 ioctl c018620b 0 returned -14 [ 859.589325][T22038] binder: 22038 RLIMIT_NICE not set 07:50:05 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 859.635613][T22040] binder: BINDER_SET_CONTEXT_MGR already set [ 859.641886][T22040] binder: 22037:22040 ioctl 40046207 0 returned -16 [ 859.653307][T22040] binder: 22037:22040 ioctl c0306201 0 returned -14 [ 859.660880][T22040] binder: 22037:22040 Release 1 refcount change on invalid ref 1 ret -22 [ 859.691815][T22043] binder: 22042:22043 ioctl c018620b 0 returned -14 [ 859.702432][T22043] binder: 22043 RLIMIT_NICE not set [ 859.748683][T22044] binder: 22042:22044 ioctl c0306201 0 returned -14 07:50:05 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 859.860401][T22046] binder: 22046 RLIMIT_NICE not set 07:50:05 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 859.892801][T22046] binder: BINDER_SET_CONTEXT_MGR already set [ 859.901823][T22046] binder: 22045:22046 ioctl 40046207 0 returned -16 [ 859.903616][ T7675] binder: release 22026:22031 transaction 1879 out, still active 07:50:05 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 859.939382][T22046] binder_alloc_new_buf_locked: 9 callbacks suppressed [ 859.939430][T22046] binder_alloc: 22026: binder_alloc_buf, no vma [ 859.949212][ T7675] binder: send failed reply for transaction 1879, target dead [ 859.979559][ T7675] binder: send failed reply for transaction 1882 to 22028:22032 07:50:05 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 859.986188][T22046] binder: 22045:22046 transaction failed 29189/-3, size 24-8 line 3147 [ 859.991816][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 [ 860.005481][T22050] binder: 22049:22050 ioctl c018620b 0 returned -14 [ 860.019208][T22050] binder: 22050 RLIMIT_NICE not set [ 860.024376][T22051] binder: 22051 RLIMIT_NICE not set [ 860.066217][T22050] binder: 22050 RLIMIT_NICE not set [ 860.070428][T22055] binder: BINDER_SET_CONTEXT_MGR already set [ 860.082725][T22055] binder: 22048:22055 ioctl 40046207 0 returned -16 [ 860.091938][T22053] binder: 22053 RLIMIT_NICE not set [ 860.099687][T22053] binder: BINDER_SET_CONTEXT_MGR already set [ 860.106404][T22053] binder: 22052:22053 ioctl 40046207 0 returned -16 [ 860.165860][T22056] binder: 22052:22056 BC_INCREFS_DONE node 1894 has no pending increfs request 07:50:06 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 860.363324][T22059] binder: 22058:22059 ioctl c018620b 0 returned -14 [ 860.370496][T22059] binder: 22059 RLIMIT_NICE not set [ 860.413287][T22062] binder: 22061:22062 ioctl c018620b 0 returned -14 [ 860.421518][T22062] binder: 22062 RLIMIT_NICE not set 07:50:06 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 860.468543][T22064] binder: BINDER_SET_CONTEXT_MGR already set [ 860.476578][T22064] binder: 22061:22064 ioctl 40046207 0 returned -16 [ 860.484004][T22064] binder_thread_write: 14 callbacks suppressed [ 860.484016][T22064] binder: 22061:22064 BC_INCREFS_DONE u0000000000000000 no match [ 860.499041][T22064] binder: 22061:22064 Release 1 refcount change on invalid ref 1 ret -22 [ 860.528374][T22067] binder: 22066:22067 ioctl c018620b 0 returned -14 [ 860.581735][T22068] binder: 22066:22068 ioctl c0306201 0 returned -14 [ 860.589078][T22068] binder: 22066:22068 BC_INCREFS_DONE u0000000000000000 no match 07:50:06 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 860.776693][T31463] binder: release 22049:22054 transaction 1887 out, still active [ 860.786797][T31463] binder: release 22048:22055 transaction 1890 out, still active [ 860.801761][ T7675] binder: send failed reply for transaction 1887, target dead [ 860.816979][ T7675] binder: send failed reply for transaction 1890, target dead 07:50:06 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:06 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 860.828203][ T7675] binder: send failed reply for transaction 1893 to 22052:22053 [ 860.856797][T22073] binder: 22072:22073 ioctl c018620b 0 returned -14 [ 860.917403][T22076] binder: BINDER_SET_CONTEXT_MGR already set [ 860.924018][T22076] binder: 22072:22076 ioctl 40046207 0 returned -16 [ 860.935107][T22076] binder: 22072:22076 Release 1 refcount change on invalid ref 1 ret -22 [ 860.947128][T22077] binder: BINDER_SET_CONTEXT_MGR already set [ 860.953232][T22077] binder: 22070:22077 ioctl 40046207 0 returned -16 [ 860.959999][T22078] binder: 22074:22078 BC_INCREFS_DONE node 1898 has no pending increfs request 07:50:06 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 861.196105][T22081] binder: 22080:22081 ioctl c018620b 0 returned -14 [ 861.226845][T22083] binder: 22082:22083 ioctl c018620b 0 returned -14 [ 861.249690][T22085] binder: 22080:22085 BC_INCREFS_DONE u0000000000000000 no match [ 861.280729][T22086] binder: BINDER_SET_CONTEXT_MGR already set [ 861.287339][T22086] binder: 22082:22086 ioctl 40046207 0 returned -16 07:50:07 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 861.295126][T22086] binder: 22082:22086 BC_INCREFS_DONE u0000000000000000 no match [ 861.303475][T22086] binder: 22082:22086 Release 1 refcount change on invalid ref 1 ret -22 [ 861.361383][T22089] binder: 22088:22089 ioctl c018620b 0 returned -14 [ 861.416891][T22090] binder: 22088:22090 ioctl c0306201 0 returned -14 [ 861.427964][T22090] binder: 22088:22090 BC_INCREFS_DONE u0000000000000000 no match 07:50:07 executing program 1: r0 = syz_open_dev$sndseq(&(0x7f0000000600)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000068f50)={{0x80}, 'por\xff\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\xff\xff\xff\xff\xff\xff\xff\xef\x00\x00\x03\xff\x00\x00\x00\x00\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00', 0xc3, 0x80003}) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer2\x00', 0x406, 0x0) dup2(r1, r0) 07:50:07 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 861.653890][T31463] binder: release 22070:22077 transaction 1903 out, still active [ 861.661724][T31463] binder: release 22072:22076 transaction 1900 out, still active 07:50:07 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:07 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_kvm_setup_cpu$x86(r1, r2, &(0x7f000013d000/0x18000)=nil, 0x0, 0x1f3, 0x0, 0x0, 0x0) [ 861.708311][ T7675] binder: release 22074:22075 transaction 1897 out, still active [ 861.741178][ T7675] binder: unexpected work type, 4, not freed [ 861.761962][ T7675] binder: undelivered TRANSACTION_COMPLETE [ 861.770527][ T7675] binder: send failed reply for transaction 1897, target dead [ 861.782547][ T7675] binder: send failed reply for transaction 1900, target dead [ 861.792347][ T7675] binder: send failed reply for transaction 1903, target dead [ 861.822597][T22098] binder: BINDER_SET_CONTEXT_MGR already set [ 861.830179][T22098] binder: 22097:22098 ioctl 40046207 0 returned -16 07:50:07 executing program 1: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000340)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) fgetxattr(r0, &(0x7f0000000140)=@known='system.sockprotoname\x00', &(0x7f0000000380)=""/4096, 0x1000) 07:50:07 executing program 1: r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) connect$inet6(r0, &(0x7f0000000200)={0xa, 0x0, 0x0, @loopback}, 0x1c) [ 861.889738][T22104] binder: 22097:22104 BC_INCREFS_DONE node 1911 has no pending increfs request 07:50:07 executing program 1: r0 = socket$kcm(0x2b, 0x1, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f00000009c0)='/Group.stEt\x00\xba\x81C[\x9c\xd7ER\x05\r\xf2\xa97\xed@\xe1\xf2\xa1\x87\x1f\x92\xff\x80_\xa32\x03\x00\x00\x00x\xe7\x03\x00u\xf1\xabU\x9a\x16\xaa\x99\xd6\xad\xb5\xca\xf8\xff\xd4\x9b(\x12\xb6\\P\xa6\xab;\x8e\x90\xba\xe0wb[a\x9a\x0f\x00j\x91Ny8e\x17\x8c4r\xa94\xcb\xe8(\x0fF\xb9q\xc7', 0x2761, 0x0) ioctl$PERF_EVENT_IOC_PAUSE_OUTPUT(r1, 0x40086607, 0x7fffff) 07:50:07 executing program 1: mkdir(&(0x7f0000000140)='./file0\x00', 0x0) clone(0x101, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) lsetxattr$security_selinux(&(0x7f0000000000)='./file0/../file0\x00', &(0x7f0000000180)='security.selinux\x00', 0x0, 0x0, 0x0) openat$vga_arbiter(0xffffffffffffff9c, 0x0, 0x0, 0x0) chown(&(0x7f00000000c0)='./file0\x00', 0x0, 0x0) 07:50:07 executing program 1: mkdir(&(0x7f0000000140)='./file0\x00', 0x0) clone(0x101, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) lsetxattr$security_selinux(&(0x7f0000000000)='./file0/../file0\x00', &(0x7f0000000180)='security.selinux\x00', 0x0, 0x0, 0x0) openat$vga_arbiter(0xffffffffffffff9c, 0x0, 0x0, 0x0) chown(&(0x7f00000000c0)='./file0\x00', 0x0, 0x0) 07:50:07 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 862.072915][T22124] binder: 22123:22124 ioctl c018620b 0 returned -14 [ 862.086303][T22126] binder: 22125:22126 ioctl c018620b 0 returned -14 07:50:07 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:07 executing program 1: mkdir(&(0x7f0000000140)='./file0\x00', 0x0) clone(0x101, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) lsetxattr$security_selinux(&(0x7f0000000000)='./file0/../file0\x00', &(0x7f0000000180)='security.selinux\x00', 0x0, 0x0, 0x0) openat$vga_arbiter(0xffffffffffffff9c, 0x0, 0x0, 0x0) chown(&(0x7f00000000c0)='./file0\x00', 0x0, 0x0) [ 862.139539][T22127] binder: BINDER_SET_CONTEXT_MGR already set [ 862.145725][T22127] binder: 22125:22127 ioctl 40046207 0 returned -16 [ 862.145876][T22128] binder: 22123:22128 BC_INCREFS_DONE u0000000000000000 no match [ 862.153087][T22127] binder: 22125:22127 BC_INCREFS_DONE u0000000000000000 no match [ 862.169347][T22127] binder: 22125:22127 Release 1 refcount change on invalid ref 1 ret -22 [ 862.213591][T22134] binder: 22133:22134 ioctl c018620b 0 returned -14 [ 862.268044][T22135] binder: 22133:22135 BC_INCREFS_DONE u0000000000000000 no match 07:50:08 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:08 executing program 4: r0 = openat$ion(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/ion\x00', 0x0, 0x0) ioctl$ION_IOC_ALLOC(r0, 0xc0184900, &(0x7f00000000c0)={0x7ff, 0x2f, 0x0, 0xffffffffffffffff}) ioctl$DMA_BUF_IOCTL_SYNC(r1, 0x40086200, &(0x7f0000000240)=0x2) 07:50:08 executing program 1: mkdir(&(0x7f0000000140)='./file0\x00', 0x0) clone(0x101, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) lsetxattr$security_selinux(&(0x7f0000000000)='./file0/../file0\x00', &(0x7f0000000180)='security.selinux\x00', 0x0, 0x0, 0x0) openat$vga_arbiter(0xffffffffffffff9c, 0x0, 0x0, 0x0) chown(&(0x7f00000000c0)='./file0\x00', 0x0, 0x0) [ 862.522261][ T7675] binder: release 22095:22102 transaction 1907 out, still active [ 862.537709][T31463] binder: send failed reply for transaction 1907, target dead [ 862.545439][T31463] binder: send failed reply for transaction 1910 to 22097:22098 07:50:08 executing program 1: socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000480)='/dev/full\x00', 0x0, 0x0) setsockopt$packet_rx_ring(r1, 0x107, 0x5, &(0x7f00000004c0)=@req={0x4, 0x7, 0xffffffff}, 0x10) bind$inet6(r0, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c) setsockopt$sock_timeval(0xffffffffffffffff, 0x1, 0x15, 0x0, 0x0) listen(r0, 0x80) setsockopt$inet6_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) sendto$inet6(r2, 0x0, 0xfffffffffffffdc6, 0x20000004, &(0x7f0000000280)={0xa, 0x4e22}, 0x1c) r3 = openat$zero(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/zero\x00', 0x200000, 0x0) getpeername$unix(r1, &(0x7f0000000300)=@abs, &(0x7f0000000380)=0x6e) write(r2, &(0x7f0000000380), 0xfffffffe) recvfrom$inet6(r2, &(0x7f0000001840)=""/31, 0xfffffe0e, 0x100, &(0x7f0000001880), 0x1c) r4 = socket$inet_tcp(0x2, 0x1, 0x0) mknod(&(0x7f0000000000)='./file0\x00', 0x0, 0x0) r5 = open(&(0x7f0000000040)='./file0\x00', 0x611, 0x0) execve(0x0, &(0x7f00000003c0), 0x0) pwritev(r5, &(0x7f0000000100), 0x3a3, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r4, 0x8914, &(0x7f0000000000)={'lo\x00'}) ioctl$sock_inet_SIOCSIFFLAGS(r4, 0x8914, &(0x7f0000000140)={'lo\x00\x00\x00$\x00\x00\x00\x00\x00\x00\b\x00\x00\x11', 0xff}) r6 = accept4(r0, 0x0, 0x0, 0x0) sendto$inet6(r6, &(0x7f00000000c0), 0xfffffdda, 0x0, 0x0, 0x0) open(&(0x7f00000001c0)='./file1\x00', 0x40, 0x20) ioctl$TIOCGSID(r3, 0x5429, &(0x7f00000002c0)) clock_gettime(0x0, &(0x7f0000000200)={0x0, 0x0}) clock_settime(0x0, &(0x7f0000000240)={r7, r8+10000000}) 07:50:08 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_FFBIT(r0, 0x4004556b, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$UI_END_FF_ERASE(r0, 0x8004552d, 0x0) 07:50:08 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000000740)=[{&(0x7f0000000340)=""/143, 0x8f}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000080)='net/mcfilter6\x00') ioctl$SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE(r0, 0xc0045520, &(0x7f0000000000)) preadv(r0, &(0x7f0000000480), 0x1000000000000116, 0x0) [ 862.621332][T22142] ion_buffer_destroy: buffer still mapped in the kernel 07:50:08 executing program 4: r0 = socket$inet6_udp(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000700)={0xa, 0x0, 0x0, @dev, 0x3}, 0x1c) r1 = socket$l2tp(0x18, 0x1, 0x1) connect$l2tp(r1, &(0x7f0000000180)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x0, @multicast2}, 0x4}}, 0x26) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000001c0)={{{@in6=@local, @in, 0x4, 0x0, 0x0, 0x0, 0xa}, {0x0, 0x0, 0xb74}, {0xfffffffffffffffc}, 0x0, 0x0, 0x1}, {{@in, 0x0, 0x33}, 0x0, @in6=@mcast2, 0x0, 0x1, 0x0, 0x0, 0xfffffffffffffffe}}, 0xe8) sendmmsg(r1, &(0x7f0000005fc0), 0x800000000000059, 0x0) setsockopt$packet_fanout(0xffffffffffffffff, 0x107, 0x12, &(0x7f0000000600)={0x0, 0x6}, 0x4) 07:50:08 executing program 4: syz_open_dev$video(0x0, 0x0, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) r0 = syz_open_dev$usbmon(&(0x7f0000000380)='/dev/usbmon#\x00', 0x3, 0x4002) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000180)) getpgid(0x0) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000700)='memory.events\x00\x8a\xaaE\x90\x14S\x81N\b\xee\x14-2%r\x91d\xedwz\xcb\x1d\xf4\x00}M\xa7\xb5\xb5\xdb!&\xfb\xafc\xed\x9e\xed(RR\xbd3g\xcd^\xae\xf0_\xd8\r\x15i+\xaa\x01\x0fR\xf0&\xeb\xafn#\x18\x85@\xcay\x84\xaa\x0e\xf7\x90\b\xa9D\xe7\xe4\x18\xfd\xc3\xd3\x94\x02s\xde\xe4\xdez\xe01\xc5[\xd4\xbeT\xb5\xb6x\x9b\xab{\xfb\xd4dUht\"\b%H:v?x\xd4\xa2l\xe3\xf2\xcd\xf1\xeb\fl\x04\xdb+\x1f$\x86I\t@\x83\xd7!z\x00z\xda\x11t\xaa\xd7\x8b\xedZ/v}1V,W\xe6\t\a\xeba', 0x0, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x88, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000600)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffffff, 0x84, 0x12, &(0x7f0000000300)=0x4, 0x260) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'team_slave_0\x00', 0x2}, 0x0) r3 = syz_open_dev$video4linux(&(0x7f0000000040)='/dev/v4l-subdev#\x00', 0x2000001, 0x0) ioctl$VIDIOC_SUBDEV_S_FMT(r3, 0xc0585605, &(0x7f00000001c0)={0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8}}) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, &(0x7f0000000280)=0x3, 0x4) ioctl(0xffffffffffffffff, 0x800000000008982, &(0x7f0000000080)) r4 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000400)='/dev/ppp\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) unshare(0x40000000) socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000100)={&(0x7f00000000c0)={0x20000010, 0x0, 0x2000000000000}, 0xc, 0x0}, 0x0) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r1, 0x84, 0x1a, &(0x7f0000000e00)=ANY=[@ANYRES16, @ANYRESHEX=r4, @ANYPTR, @ANYRESDEC=r2, @ANYRES32, @ANYRES16=r4], &(0x7f0000000dc0)=0x6) ioctl$SG_GET_PACK_ID(0xffffffffffffffff, 0x227c, 0x0) setsockopt$inet_sctp6_SCTP_ADD_STREAMS(r4, 0x84, 0x79, &(0x7f00000002c0), 0x8) bpf$OBJ_PIN_PROG(0x6, 0x0, 0x0) ioctl$PERF_EVENT_IOC_RESET(r2, 0x2403, 0x2) syz_open_dev$usbmon(&(0x7f0000000240)='/dev/usbmon#\x00', 0x77, 0x0) setsockopt$inet_sctp6_SCTP_I_WANT_MAPPED_V4_ADDR(r1, 0x84, 0xc, &(0x7f0000000200)=0x20, 0x4) io_setup(0x8000000000007ff, &(0x7f0000000340)) 07:50:08 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:08 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 862.852081][T22161] IPVS: ftp: loaded support on port[0] = 21 [ 862.965989][T22168] binder: 22167:22168 ioctl c018620b 0 returned -14 [ 862.978237][T22169] binder: 22166:22169 ioctl c018620b 0 returned -14 07:50:08 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 863.057131][T22170] binder: BINDER_SET_CONTEXT_MGR already set [ 863.064616][T22172] binder: 22166:22172 BC_INCREFS_DONE u0000000000000000 no match [ 863.084247][T22170] binder: 22167:22170 ioctl 40046207 0 returned -16 [ 863.105002][T22174] binder: 22173:22174 ioctl c018620b 0 returned -14 [ 863.123067][T22170] binder: 22167:22170 BC_INCREFS_DONE u0000000000000000 no match [ 863.146921][T22170] binder: 22167:22170 Release 1 refcount change on invalid ref 1 ret -22 [ 863.266556][T22161] IPVS: ftp: loaded support on port[0] = 21 07:50:09 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 863.373464][ T7675] binder: send failed reply for transaction 1914 to 22136:22147 [ 863.381210][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 07:50:09 executing program 4: syz_open_dev$video(0x0, 0x0, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) r0 = syz_open_dev$usbmon(&(0x7f0000000380)='/dev/usbmon#\x00', 0x3, 0x4002) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000180)) getpgid(0x0) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000700)='memory.events\x00\x8a\xaaE\x90\x14S\x81N\b\xee\x14-2%r\x91d\xedwz\xcb\x1d\xf4\x00}M\xa7\xb5\xb5\xdb!&\xfb\xafc\xed\x9e\xed(RR\xbd3g\xcd^\xae\xf0_\xd8\r\x15i+\xaa\x01\x0fR\xf0&\xeb\xafn#\x18\x85@\xcay\x84\xaa\x0e\xf7\x90\b\xa9D\xe7\xe4\x18\xfd\xc3\xd3\x94\x02s\xde\xe4\xdez\xe01\xc5[\xd4\xbeT\xb5\xb6x\x9b\xab{\xfb\xd4dUht\"\b%H:v?x\xd4\xa2l\xe3\xf2\xcd\xf1\xeb\fl\x04\xdb+\x1f$\x86I\t@\x83\xd7!z\x00z\xda\x11t\xaa\xd7\x8b\xedZ/v}1V,W\xe6\t\a\xeba', 0x0, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x88, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000600)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffffff, 0x84, 0x12, &(0x7f0000000300)=0x4, 0x260) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'team_slave_0\x00', 0x2}, 0x0) r3 = syz_open_dev$video4linux(&(0x7f0000000040)='/dev/v4l-subdev#\x00', 0x2000001, 0x0) ioctl$VIDIOC_SUBDEV_S_FMT(r3, 0xc0585605, &(0x7f00000001c0)={0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8}}) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, &(0x7f0000000280)=0x3, 0x4) ioctl(0xffffffffffffffff, 0x800000000008982, &(0x7f0000000080)) r4 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000400)='/dev/ppp\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) unshare(0x40000000) socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000100)={&(0x7f00000000c0)={0x20000010, 0x0, 0x2000000000000}, 0xc, 0x0}, 0x0) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r1, 0x84, 0x1a, &(0x7f0000000e00)=ANY=[@ANYRES16, @ANYRESHEX=r4, @ANYPTR, @ANYRESDEC=r2, @ANYRES32, @ANYRES16=r4], &(0x7f0000000dc0)=0x6) ioctl$SG_GET_PACK_ID(0xffffffffffffffff, 0x227c, 0x0) setsockopt$inet_sctp6_SCTP_ADD_STREAMS(r4, 0x84, 0x79, &(0x7f00000002c0), 0x8) bpf$OBJ_PIN_PROG(0x6, 0x0, 0x0) ioctl$PERF_EVENT_IOC_RESET(r2, 0x2403, 0x2) syz_open_dev$usbmon(&(0x7f0000000240)='/dev/usbmon#\x00', 0x77, 0x0) setsockopt$inet_sctp6_SCTP_I_WANT_MAPPED_V4_ADDR(r1, 0x84, 0xc, &(0x7f0000000200)=0x20, 0x4) io_setup(0x8000000000007ff, &(0x7f0000000340)) [ 863.488013][T22183] IPVS: ftp: loaded support on port[0] = 21 [ 863.593623][ C1] net_ratelimit: 20 callbacks suppressed [ 863.593681][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 863.605440][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 863.611384][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 863.617262][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 863.623307][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 863.629114][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:50:09 executing program 1: r0 = syz_genetlink_get_family_id$tipc2(0x0) write$ppp(0xffffffffffffffff, &(0x7f0000000580)="ba646ca36843c2188c78e319fd32177b6f611cadbf4ddbc185e6bd62d5c2e6c639400d921f5b5ebf8110715c4d5ac350cbe937e68f730d6855dbabc27062c823d11fca14bd1b79f69965e86e44eefac5b8b31a7b922558754f5e67c7863df7b52763e3842fcab3a72c6adb89060448aa567d5de8ae9d26e00f234bdf823ad71f0a9f683a2a484a2d141308fa20cb4596caf1881303612482a47713e1f07d543ee3d990c8d89e44ec9c4fd16b3f4211674d1e789cbec92666bf2d92ef03", 0xbd) sendmsg$TIPC_NL_PUBL_GET(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000180)={0x5c, r0, 0x400, 0x0, 0x25dfdbfe, {}, [@TIPC_NLA_BEARER={0x34, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @remote}}, {0x14, 0x2, @in={0x2, 0x0, @initdev}}}}, @TIPC_NLA_BEARER_PROP={0x4}]}, @TIPC_NLA_SOCK={0x14, 0x2, [@TIPC_NLA_SOCK_REF={0x8, 0x2, 0x2}, @TIPC_NLA_SOCK_ADDR={0x8}]}]}, 0x5c}, 0x1, 0x0, 0x0, 0x4000}, 0x4) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f00000014c0)='/dev/loop-control\x00', 0x0, 0x0) r2 = dup(r1) ioctl$sock_inet6_tcp_SIOCINQ(r2, 0x4c81, 0xfffffffffffffffe) syz_open_dev$loop(&(0x7f0000000040)='/dev/loop#\x00', 0x0, 0x0) 07:50:09 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:09 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 863.837321][T22199] binder: 22196:22199 ioctl c018620b 0 returned -14 07:50:09 executing program 1: r0 = syz_open_dev$evdev(&(0x7f0000000280)='/dev/input/event#\x00', 0x3, 0x0) ioctl$EVIOCGABS0(r0, 0x80184540, &(0x7f0000000080)=""/236) 07:50:09 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 863.884577][T22202] binder: 22201:22202 ioctl c018620b 0 returned -14 [ 863.919018][T22204] binder: BINDER_SET_CONTEXT_MGR already set [ 863.942423][T22204] binder: 22196:22204 ioctl 40046207 0 returned -16 [ 863.949530][T22205] binder: 22201:22205 got transaction with invalid offset (0, min 0 max 0) or object. [ 863.964764][T22204] binder: 22196:22204 Release 1 refcount change on invalid ref 1 ret -22 [ 863.966031][T22209] binder: 22208:22209 ioctl c018620b 0 returned -14 [ 863.980122][T22205] binder: 22201:22205 transaction failed 29201/-22, size 0-8 line 3241 07:50:09 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x2000001000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000400)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, 0x0, 0xfffffffffffffdb3, 0x0, 0x0, 0xed) ioctl$KVM_REGISTER_COALESCED_MMIO(r2, 0x4010ae67, &(0x7f00000000c0)={0x0, 0x119000}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, 0x0, 0xffffffffffffff12, 0xfffffffffffffffe, 0x0, 0x117) ioctl$FITRIM(0xffffffffffffffff, 0xc0185879, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 07:50:09 executing program 1: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x910, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) prctl$PR_GET_NO_NEW_PRIVS(0x27) 07:50:09 executing program 1: r0 = socket(0xa, 0x1, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000700)={'bridge_slave_0\x00'}) sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="000000000000000024001200140001006272696467655f736c617665000000000c00050008000a00f0000000"], 0x1}}, 0x0) 07:50:09 executing program 1: r0 = socket$nl_xfrm(0x10, 0x3, 0x6) r1 = socket$inet6_udp(0xa, 0x2, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000640)='/dev/dsp\x00', 0x80, 0x0) ioctl$SNDRV_TIMER_IOCTL_GSTATUS(0xffffffffffffffff, 0xc0505405, 0x0) connect$inet6(r1, &(0x7f0000000700)={0xa, 0x4e20, 0x0, @dev, 0x3}, 0x1c) r2 = socket$l2tp(0x18, 0x1, 0x1) connect$l2tp(r2, &(0x7f0000000180)=@pppol2tpv3={0x18, 0x1, {0x0, r1, {0x2, 0x0, @multicast2}, 0x4}}, 0x26) setsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f00000001c0)={{{@in6=@local, @in, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in, 0x0, 0x33}, 0x0, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}}, 0xe8) sendmmsg(r2, &(0x7f0000005fc0), 0x800000000000059, 0x0) bind$netlink(r0, &(0x7f0000000080)={0x10, 0x0, 0x0, 0x1}, 0x41) ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f00000005c0)) r3 = socket$packet(0x11, 0x2, 0x300) setsockopt$packet_fanout(r3, 0x107, 0x12, &(0x7f0000000600)={0x0, 0x6}, 0x4) setsockopt$packet_fanout_data(r3, 0x107, 0x16, &(0x7f00000000c0)={0x1, &(0x7f0000000040)=[{0x16}]}, 0x10) [ 864.193076][T22224] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 864.213656][T31463] binder: release 22179:22184 transaction 1918 out, still active 07:50:09 executing program 4: mknod(0x0, 0x0, 0x0) r0 = creat(&(0x7f0000000080)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x10a) close(r0) execve(&(0x7f0000000100)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) dup2(r0, r1) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(0xffffffffffffffff, 0x6, 0x16, 0x0, 0x0) open$dir(0x0, 0x0, 0x0) clone(0x3102001ff6, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f00000000c0)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) sendmsg$TIPC_CMD_SET_LINK_PRI(r0, &(0x7f0000000200)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)=ANY=[@ANYBLOB], 0x1}, 0x1, 0x0, 0x0, 0x40}, 0x0) 07:50:10 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 864.257042][T31463] binder: send failed reply for transaction 1918, target dead [ 864.313509][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 864.319346][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 864.325325][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 864.331082][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:50:10 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:50:10 executing program 4: perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000100)='stat\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000241, 0x0) open(0x0, 0x0, 0x0) 07:50:10 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:10 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:10 executing program 4: openat$random(0xffffffffffffff9c, 0x0, 0x200000000000000, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_kvm_setup_cpu$x86(r1, r2, &(0x7f000013d000/0x18000)=nil, 0x0, 0x1f3, 0x0, 0x0, 0x0) [ 864.694790][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 [ 864.715637][T22249] binder: 22248:22249 ioctl c018620b 0 returned -14 07:50:10 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:10 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) [ 864.754218][T22249] binder_set_nice: 21 callbacks suppressed [ 864.754225][T22249] binder: 22249 RLIMIT_NICE not set [ 864.802422][T22257] binder: BINDER_SET_CONTEXT_MGR already set [ 864.825377][T22257] binder: 22248:22257 ioctl 40046207 0 returned -16 [ 864.825499][T22255] binder: 22254:22255 ioctl c018620b 0 returned -14 [ 864.851518][T22261] binder: 22260:22261 ioctl c018620b 0 returned -14 [ 864.860561][T22255] binder: 22255 RLIMIT_NICE not set [ 864.867994][T22257] binder: 22248:22257 Release 1 refcount change on invalid ref 1 ret -22 [ 864.870263][T22261] binder: 22261 RLIMIT_NICE not set 07:50:10 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:50:10 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0xf7c, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$unix(0x1, 0x0, 0x0) ioctl$sock_inet_SIOCGIFADDR(r0, 0x8915, 0x0) r1 = timerfd_create(0x0, 0x0) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f0000000300)='cgroup2\x00', 0x0, 0x0) ioctl$EXT4_IOC_MOVE_EXT(r1, 0xc028660f, &(0x7f0000000100)={0x0, r0, 0x4, 0x0, 0x200, 0x8}) ioctl$FITRIM(0xffffffffffffffff, 0xc0185879, 0x0) ioctl(0xffffffffffffffff, 0x1, 0x0) stat(&(0x7f0000000400)='./file0\x00', 0x0) rmdir(&(0x7f0000000240)='./file0//ile0\x00') openat(0xffffffffffffffff, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) 07:50:10 executing program 4: bind$netlink(0xffffffffffffffff, 0x0, 0x0) r0 = socket$packet(0x11, 0x2, 0x300) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x2000001000008912, &(0x7f0000000100)="0adc1f127c123f3188b070") setsockopt$packet_fanout(r0, 0x107, 0x12, &(0x7f0000000600), 0x4) [ 864.907106][T22264] binder: 22254:22264 got transaction with invalid offset (0, min 0 max 0) or object. [ 864.932368][T22264] binder: 22254:22264 transaction failed 29201/-22, size 0-8 line 3241 07:50:10 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) [ 865.152114][ T7675] binder: release 22229:22234 transaction 1923 out, still active 07:50:10 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:10 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000003c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000400)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffebc) ioctl$KVM_REGISTER_COALESCED_MMIO(r2, 0x4010ae67, &(0x7f00000000c0)={0x0, 0x80000018000}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x8, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$RTC_PLL_SET(0xffffffffffffffff, 0x40207012, &(0x7f0000000040)) 07:50:10 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) [ 865.200280][ T7675] binder: send failed reply for transaction 1923, target dead [ 865.351602][T22283] binder: 22283 RLIMIT_NICE not set 07:50:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:11 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:11 executing program 4: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000100)='./cgroup.cpu\x00', 0x200002, 0x0) fchdir(r0) r1 = creat(&(0x7f0000000700)='./bus\x00', 0x0) inotify_init() fcntl$setstatus(r1, 0x4, 0x6100) ioctl$PIO_CMAP(0xffffffffffffffff, 0x4b71, 0x0) truncate(&(0x7f00000000c0)='./bus\x00', 0x800) r2 = open(&(0x7f00000002c0)='./bus\x00', 0x400, 0x0) lseek(r1, 0x0, 0x2) sendfile(r1, r2, 0x0, 0x8000fffffffe) socket$inet6(0xa, 0x0, 0x5) sendfile(r1, r2, 0x0, 0xa5cc554) [ 865.588348][T22292] binder: 22291:22292 ioctl c018620b 0 returned -14 [ 865.596148][T31463] binder: undelivered TRANSACTION_ERROR: 29201 [ 865.603583][T22292] binder: 22292 RLIMIT_NICE not set [ 865.641826][T22300] binder: BINDER_SET_CONTEXT_MGR already set [ 865.658030][T22299] binder: 22297:22299 ioctl c018620b 0 returned -14 [ 865.679253][T22300] binder: 22291:22300 ioctl 40046207 0 returned -16 07:50:11 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:11 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socket$xdp(0x2c, 0x3, 0x0) setsockopt$inet6_group_source_req(0xffffffffffffffff, 0x29, 0x0, &(0x7f0000000440)={0x0, {{0xa, 0x4e21, 0x4, @mcast2, 0x7}}, {{0xa, 0x4e20, 0xd0c, @rand_addr="294aea6cb59b6fc0a9cac25bab337e43", 0x8}}}, 0x108) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/net/ipv4/vs/sync_persist_mode\x00', 0x2, 0x0) r2 = open(&(0x7f00000000c0)='./file0\x00', 0x8000, 0x0) setsockopt$ALG_SET_KEY(r2, 0x117, 0x1, &(0x7f0000000700)="118433d14aac1ab8d07e20487e4bca35576c7ccf09209bf795551bab3f2bc45e06dba29d414f41f43c66bb72e7c1b443fb79e14b094477d41d125adad91670b8c7646a5ba8ca1eed1376a33c6b456c7e6389b82715c50bd61708f57b0097a98bbe5e9671bb0bd6b0e4ba403fca1bc333970f4975cb8040974a36da8a8bb1a53fac8766c67d2d03841627ac219eb126bc899a553a6ff35bbf3d2c7866e956a2f675d1ad7986fe2ee7c0c700aa87a2e60cf3a6adbf162fe28cffce54c3a95783b98db677fa0433752cc1f8f806f92d4c94", 0xd0) r3 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x0) write$cgroup_int(r1, &(0x7f0000000140)=0x6, 0x12) ioctl$KDSIGACCEPT(0xffffffffffffffff, 0x4b4e, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, 0x0, &(0x7f0000000100)) getegid() getsockopt$sock_buf(r3, 0x1, 0x0, 0x0, &(0x7f0000000040)) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000240), &(0x7f0000000280)=0xc) write$P9_RSTATu(0xffffffffffffffff, 0x0, 0x0) fadvise64(r0, 0x0, 0x0, 0x0) unshare(0x40000000) [ 865.688120][T22304] binder: 22291:22304 got transaction with invalid offset (0, min 0 max 0) or object. [ 865.699579][T22299] binder: 22299 RLIMIT_NICE not set [ 865.739534][T22307] binder: 22306:22307 ioctl c018620b 0 returned -14 [ 865.746941][T22308] binder: 22297:22308 got transaction with invalid offset (0, min 0 max 0) or object. [ 865.749933][T22304] binder: 22291:22304 transaction failed 29201/-22, size 0-8 line 3241 [ 865.759030][T22309] binder_thread_write: 7 callbacks suppressed [ 865.759040][T22309] binder: 22291:22309 BC_INCREFS_DONE u0000000000000000 no match [ 865.792885][T22308] binder: 22297:22308 transaction failed 29201/-22, size 0-8 line 3241 [ 865.793909][T22312] binder: 22297:22312 BC_INCREFS_DONE u0000000000000000 no match [ 865.807247][T22313] binder: 22313 RLIMIT_NICE not set [ 865.817880][T22307] binder: 22306:22307 BC_INCREFS_DONE u0000000000000000 no match 07:50:11 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 865.851576][T22311] IPVS: ftp: loaded support on port[0] = 21 [ 865.877446][T22316] binder: 22315:22316 ioctl c018620b 0 returned -14 [ 865.915189][T22300] binder: 22291:22300 Release 1 refcount change on invalid ref 1 ret -22 [ 865.924312][T22317] binder: 22317 RLIMIT_NICE not set [ 865.954463][T22316] binder: 22315:22316 BC_INCREFS_DONE u0000000000000000 no match 07:50:11 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:11 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) [ 866.067031][T22320] binder: 22319:22320 ioctl c018620b 0 returned -14 [ 866.074272][ T7675] binder: release 22282:22289 transaction 1928 out, still active 07:50:11 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 866.124589][T22321] binder: 22321 RLIMIT_NICE not set [ 866.134768][T22320] binder: 22319:22320 got transaction with invalid offset (0, min 0 max 0) or object. [ 866.143849][T31463] binder: send failed reply for transaction 1928, target dead [ 866.164809][T22320] binder: 22319:22320 transaction failed 29201/-22, size 0-8 line 3241 07:50:11 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 866.213748][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 [ 866.246143][T22311] IPVS: ftp: loaded support on port[0] = 21 [ 866.272307][T22326] binder: 22326 RLIMIT_NICE not set 07:50:12 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socket$xdp(0x2c, 0x3, 0x0) setsockopt$inet6_group_source_req(0xffffffffffffffff, 0x29, 0x0, &(0x7f0000000440)={0x0, {{0xa, 0x4e21, 0x4, @mcast2, 0x7}}, {{0xa, 0x4e20, 0xd0c, @rand_addr="294aea6cb59b6fc0a9cac25bab337e43", 0x8}}}, 0x108) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/net/ipv4/vs/sync_persist_mode\x00', 0x2, 0x0) r2 = open(&(0x7f00000000c0)='./file0\x00', 0x8000, 0x0) setsockopt$ALG_SET_KEY(r2, 0x117, 0x1, &(0x7f0000000700)="118433d14aac1ab8d07e20487e4bca35576c7ccf09209bf795551bab3f2bc45e06dba29d414f41f43c66bb72e7c1b443fb79e14b094477d41d125adad91670b8c7646a5ba8ca1eed1376a33c6b456c7e6389b82715c50bd61708f57b0097a98bbe5e9671bb0bd6b0e4ba403fca1bc333970f4975cb8040974a36da8a8bb1a53fac8766c67d2d03841627ac219eb126bc899a553a6ff35bbf3d2c7866e956a2f675d1ad7986fe2ee7c0c700aa87a2e60cf3a6adbf162fe28cffce54c3a95783b98db677fa0433752cc1f8f806f92d4c94", 0xd0) r3 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x0) write$cgroup_int(r1, &(0x7f0000000140)=0x6, 0x12) ioctl$KDSIGACCEPT(0xffffffffffffffff, 0x4b4e, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, 0x0, &(0x7f0000000100)) getegid() getsockopt$sock_buf(r3, 0x1, 0x0, 0x0, &(0x7f0000000040)) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000240), &(0x7f0000000280)=0xc) write$P9_RSTATu(0xffffffffffffffff, 0x0, 0x0) fadvise64(r0, 0x0, 0x0, 0x0) unshare(0x40000000) [ 866.329764][T22333] binder: 22332:22333 ioctl c018620b 0 returned -14 [ 866.358239][T22335] IPVS: ftp: loaded support on port[0] = 21 07:50:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 866.383592][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 [ 866.383814][T22336] binder: 22332:22336 got transaction with invalid offset (0, min 0 max 0) or object. [ 866.426477][T22336] binder: 22332:22336 transaction failed 29201/-22, size 0-8 line 3241 [ 866.443880][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 07:50:12 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 866.468330][T22339] binder: 22332:22339 BC_INCREFS_DONE u0000000000000000 no match [ 866.498140][T22340] binder: 22338:22340 ioctl c018620b 0 returned -14 [ 866.526979][T22343] binder: 22342:22343 ioctl c018620b 0 returned -14 [ 866.550422][T22344] binder: BINDER_SET_CONTEXT_MGR already set [ 866.560512][T22344] binder: 22338:22344 ioctl 40046207 0 returned -16 [ 866.577706][T22340] binder: 22338:22340 got transaction with invalid offset (0, min 0 max 0) or object. [ 866.587408][T22340] binder: 22338:22340 transaction failed 29201/-22, size 0-8 line 3241 [ 866.588007][T22340] binder: 22338:22340 Release 1 refcount change on invalid ref 1 ret -22 [ 866.610055][T22345] binder: 22342:22345 got transaction with invalid offset (0, min 0 max 0) or object. [ 866.619726][T22345] binder: 22342:22345 transaction failed 29201/-22, size 0-8 line 3241 07:50:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 866.621938][T31463] binder: undelivered TRANSACTION_ERROR: 29201 07:50:12 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socket$xdp(0x2c, 0x3, 0x0) setsockopt$inet6_group_source_req(0xffffffffffffffff, 0x29, 0x0, &(0x7f0000000440)={0x0, {{0xa, 0x4e21, 0x4, @mcast2, 0x7}}, {{0xa, 0x4e20, 0xd0c, @rand_addr="294aea6cb59b6fc0a9cac25bab337e43", 0x8}}}, 0x108) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/net/ipv4/vs/sync_persist_mode\x00', 0x2, 0x0) r2 = open(&(0x7f00000000c0)='./file0\x00', 0x8000, 0x0) setsockopt$ALG_SET_KEY(r2, 0x117, 0x1, &(0x7f0000000700)="118433d14aac1ab8d07e20487e4bca35576c7ccf09209bf795551bab3f2bc45e06dba29d414f41f43c66bb72e7c1b443fb79e14b094477d41d125adad91670b8c7646a5ba8ca1eed1376a33c6b456c7e6389b82715c50bd61708f57b0097a98bbe5e9671bb0bd6b0e4ba403fca1bc333970f4975cb8040974a36da8a8bb1a53fac8766c67d2d03841627ac219eb126bc899a553a6ff35bbf3d2c7866e956a2f675d1ad7986fe2ee7c0c700aa87a2e60cf3a6adbf162fe28cffce54c3a95783b98db677fa0433752cc1f8f806f92d4c94", 0xd0) r3 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x0) write$cgroup_int(r1, &(0x7f0000000140)=0x6, 0x12) ioctl$KDSIGACCEPT(0xffffffffffffffff, 0x4b4e, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, 0x0, &(0x7f0000000100)) getegid() getsockopt$sock_buf(r3, 0x1, 0x0, 0x0, &(0x7f0000000040)) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000240), &(0x7f0000000280)=0xc) write$P9_RSTATu(0xffffffffffffffff, 0x0, 0x0) fadvise64(r0, 0x0, 0x0, 0x0) unshare(0x40000000) [ 866.714849][T22348] binder: 22347:22348 ioctl c018620b 0 returned -14 [ 866.773579][T22349] binder: BINDER_SET_CONTEXT_MGR already set [ 866.780653][T22349] binder: 22347:22349 ioctl 40046207 0 returned -16 [ 866.789894][T22349] binder: 22347:22349 got transaction with invalid offset (0, min 0 max 0) or object. [ 866.799847][T22349] binder: 22347:22349 transaction failed 29201/-22, size 0-8 line 3241 [ 866.809288][T22349] binder: 22347:22349 Release 1 refcount change on invalid ref 1 ret -22 [ 866.836182][T22351] IPVS: ftp: loaded support on port[0] = 21 07:50:12 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) 07:50:12 executing program 4: socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000003c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, 0x0, 0xff7e, 0x0, 0x0, 0x0) 07:50:12 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:12 executing program 4: syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/netstat\x00') perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) capset(&(0x7f0000000040)={0x24020019980330}, &(0x7f0000000140)) clone(0x1ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) getsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, &(0x7f0000000080), 0x10) setpriority(0x2, 0x0, 0x0) syz_open_dev$usbmon(&(0x7f0000000100)='/dev/usbmon#\x00', 0x0, 0x0) [ 867.013704][T31463] binder: release 22325:22331 transaction 1935 out, still active [ 867.039701][T31463] binder: send failed reply for transaction 1935, target dead 07:50:12 executing program 4: r0 = socket$inet_icmp_raw(0x2, 0x3, 0x1) setrlimit(0x7, &(0x7f0000000140)) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) accept4(r0, 0x0, 0x0, 0x0) 07:50:12 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:12 executing program 4: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000011fd4)={0x6, 0x4, 0x4, 0x1}, 0x2c) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000100)={r0, &(0x7f0000000040), 0x0}, 0x18) [ 867.129053][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 07:50:12 executing program 4: r0 = getpid() sched_setscheduler(r0, 0x5, &(0x7f0000000040)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) process_vm_readv(0x0, 0x0, 0x0, &(0x7f0000000940)=[{&(0x7f0000000340)=""/89, 0x59}], 0x1, 0x0) readv(r1, &(0x7f00000000c0)=[{&(0x7f0000000200)=""/255, 0x443}], 0x10000000000000a8) ioctl$TCSETS(r1, 0x40045431, &(0x7f00003b9fdc)) r2 = syz_open_pts(r1, 0x2) dup3(r2, r1, 0x0) write(r1, &(0x7f0000c34fff), 0xffffff0b) [ 867.182312][T22371] binder: 22370:22371 ioctl c018620b 0 returned -14 07:50:13 executing program 4: r0 = msgget$private(0x0, 0x0) msgsnd(0x0, 0x0, 0x0, 0x0) msgsnd(r0, &(0x7f00000002c0)=ANY=[], 0x0, 0x0) msgctl$IPC_RMID(r0, 0x0) [ 867.245667][T22379] binder: 22370:22379 got transaction with invalid offset (0, min 0 max 0) or object. [ 867.255626][T22379] binder: 22370:22379 transaction failed 29201/-22, size 0-8 line 3241 07:50:13 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 867.326230][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 [ 867.386686][T22387] binder: 22386:22387 ioctl c018620b 0 returned -14 07:50:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:13 executing program 4: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f0000000480)=0x100000001, 0x4) connect$inet6(r0, &(0x7f0000000080), 0x1c) r1 = dup2(r0, r0) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r1, 0x6, 0x16, &(0x7f0000000440), 0x2000021c) r2 = socket$inet6(0xa, 0x1, 0x0) connect$inet6(r2, &(0x7f0000000040)={0xa, 0x0, 0x0, @remote, 0x3}, 0x1c) syz_execute_func(&(0x7f0000000040)="3666440f50f564ff0941c3c4e2c9975842c4c27d794e0066420fe2e33e0f1110c442019dccd3196f") mknod(0x0, 0x0, 0x0) ioctl$IOC_PR_RELEASE(0xffffffffffffffff, 0x401070ca, 0x0) shutdown(r2, 0x0) sendto$unix(r1, 0x0, 0x0, 0x80020003ffc, &(0x7f0000000380)=@file={0x0, './file0\x00'}, 0x6e) setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(r1, 0x6, 0x16, &(0x7f0000000240)=[@timestamp, @sack_perm, @sack_perm, @sack_perm], 0x4) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x0) [ 867.513559][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 [ 867.596174][T22393] binder: 22392:22393 ioctl c018620b 0 returned -14 [ 867.669914][T22396] binder: BINDER_SET_CONTEXT_MGR already set [ 867.682716][T22396] binder: 22392:22396 ioctl 40046207 0 returned -16 [ 867.712306][T22396] binder: 22392:22396 Release 1 refcount change on invalid ref 1 ret -22 07:50:13 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() tkill(r3, 0x16) [ 867.883511][ T7675] binder: release 22359:22372 transaction 1943 out, still active 07:50:13 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:13 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() tkill(r3, 0x16) [ 867.923994][ T7675] binder: send failed reply for transaction 1943, target dead 07:50:13 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 868.065898][T22407] binder: 22406:22407 ioctl c018620b 0 returned -14 07:50:13 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() tkill(r3, 0x16) 07:50:13 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:13 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(0x0, 0x16) [ 868.263287][T22416] binder: 22415:22416 ioctl c018620b 0 returned -14 [ 868.403702][ T7675] binder_release_work: 2 callbacks suppressed [ 868.403709][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 07:50:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 868.753027][T22423] binder: 22422:22423 ioctl c018620b 0 returned -14 [ 868.795409][ T7675] binder: release 22401:22408 transaction 1950 out, still active [ 868.813597][T22424] binder: BINDER_SET_CONTEXT_MGR already set [ 868.819653][T22424] binder: 22422:22424 ioctl 40046207 0 returned -16 07:50:14 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:14 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 868.840028][ T7675] binder: send failed reply for transaction 1950, target dead [ 868.844048][T22424] binder: 22422:22424 Release 1 refcount change on invalid ref 1 ret -22 [ 868.872455][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 [ 868.940258][T22431] binder: 22430:22431 ioctl c018620b 0 returned -14 [ 869.017851][T22432] binder_transaction: 4 callbacks suppressed [ 869.017931][T22432] binder: 22430:22432 got transaction with invalid offset (0, min 0 max 0) or object. [ 869.054150][T22432] binder_transaction: 5 callbacks suppressed 07:50:14 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 869.054166][T22432] binder: 22430:22432 transaction failed 29201/-22, size 0-8 line 3241 [ 869.063463][T22433] binder: 22430:22433 BC_INCREFS_DONE u0000000000000000 no match [ 869.069315][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 [ 869.152054][T22436] binder: 22435:22436 ioctl c018620b 0 returned -14 [ 869.212986][T22437] binder: 22435:22437 got transaction with invalid offset (0, min 0 max 24) or object. [ 869.228307][T22437] binder: 22435:22437 transaction failed 29201/-22, size 24-8 line 3241 [ 869.237574][T22437] binder: 22435:22437 BC_INCREFS_DONE u0000000000000000 no match [ 869.543504][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 [ 869.673179][ T7675] binder: release 22426:22429 transaction 1957 out, still active [ 869.695960][ T12] binder: send failed reply for transaction 1957, target dead [ 869.736745][ T7675] binder: undelivered TRANSACTION_ERROR: 29201 [ 869.833443][ C1] net_ratelimit: 20 callbacks suppressed [ 869.833450][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 869.844929][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 869.850729][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 869.856485][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 869.862248][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 869.868020][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:50:15 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000080)="0adc1f123c123f3188b070") r1 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00008feff0)={&(0x7f00000001c0)={0x2, 0xd, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, [@sadb_address={0x3, 0x6, 0x0, 0xffff0020, 0x1000000000000000, @in={0x2, 0x0, @multicast1}}, @sadb_address={0x3, 0x5, 0x0, 0x0, 0x0, @in={0x2, 0x0, @multicast1}}]}, 0x40}}, 0x0) 07:50:15 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(0x0, 0x16) 07:50:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:15 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:15 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:15 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 869.960290][T22442] binder: 22441:22442 ioctl c018620b 0 returned -14 [ 869.977481][T22444] binder_set_nice: 15 callbacks suppressed [ 869.977487][T22444] binder: 22444 RLIMIT_NICE not set [ 869.990269][T22442] binder: 22442 RLIMIT_NICE not set [ 870.000832][T22450] binder: 22449:22450 ioctl c018620b 0 returned -14 [ 870.013414][T22450] binder: 22450 RLIMIT_NICE not set [ 870.036652][T22456] binder: BINDER_SET_CONTEXT_MGR already set [ 870.047326][T22456] binder: 22441:22456 ioctl 40046207 0 returned -16 [ 870.048018][T22457] binder: 22453:22457 ioctl c018620b 0 returned -14 [ 870.056850][T22456] binder: 22441:22456 got transaction with invalid offset (0, min 0 max 0) or object. [ 870.061306][T22458] binder: 22449:22458 got transaction with invalid offset (0, min 0 max 0) or object. [ 870.076218][T22456] binder: 22441:22456 transaction failed 29201/-22, size 0-8 line 3241 [ 870.095069][T22457] binder: 22457 RLIMIT_NICE not set [ 870.097694][T22456] binder: 22441:22456 Release 1 refcount change on invalid ref 1 ret -22 [ 870.109552][T22458] binder: 22449:22458 transaction failed 29201/-22, size 0-8 line 3241 [ 870.111582][T22459] binder: 22449:22459 BC_INCREFS_DONE u0000000000000000 no match 07:50:15 executing program 4: mkdir(&(0x7f0000000380)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000200)='./file0\x00', &(0x7f00000001c0)='proc\x00', 0x0, 0x0) r0 = open$dir(&(0x7f0000000100)='./file0\x00', 0x0, 0x0) getdents(r0, &(0x7f0000001380)=""/4096, 0x8c0a) 07:50:15 executing program 4: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'lo\x00@\x00', 0x101}) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000000040)={'lo\x00\x00\x00\x00\x00\x00\x00Jk\x00\r\x00'}) [ 870.141418][T22460] binder: 22453:22460 got transaction with invalid offset (0, min 0 max 24) or object. [ 870.155436][T22460] binder: 22453:22460 transaction failed 29201/-22, size 24-8 line 3241 [ 870.168063][T22460] binder: 22453:22460 BC_INCREFS_DONE u0000000000000000 no match [ 870.234404][T22465] device lo entered promiscuous mode [ 870.314220][T22465] device lo left promiscuous mode 07:50:16 executing program 4: [ 870.418683][T22468] device lo entered promiscuous mode 07:50:16 executing program 4: r0 = open(&(0x7f0000000480)='./file0\x00', 0x80000000000206, 0x0) truncate(&(0x7f0000000180)='./file0\x00', 0x208020001) lseek(r0, 0x0, 0x1000000000003) pwritev(r0, 0x0, 0x0, 0x0) poll(&(0x7f00000000c0)=[{r0}], 0x1, 0x0) fcntl$setflags(0xffffffffffffffff, 0x2, 0x0) setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x50, 0x0, 0xffffffffffffffd9) shmget$private(0x0, 0x1000, 0x0, &(0x7f0000ffc000/0x1000)=nil) shmat(0x0, &(0x7f0000ffb000/0x2000)=nil, 0x0) open(0x0, 0x100, 0x10) sendto(0xffffffffffffffff, 0x0, 0xfffffff7, 0x0, 0x0, 0x137) setsockopt$inet_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x0, 0x50, 0x0, 0x0) setsockopt$inet_MCAST_LEAVE_GROUP(0xffffffffffffffff, 0x0, 0x51, 0x0, 0x0) truncate(0x0, 0x0) open(0x0, 0x0, 0x0) 07:50:16 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$sock_FIOGETOWN(0xffffffffffffffff, 0x8903, &(0x7f00000000c0)=0x0) perf_event_open(&(0x7f0000000200)={0x0, 0x70, 0x6, 0x4, 0x1, 0x0, 0x0, 0x80000000, 0x20000, 0x13, 0x4c, 0x4cb, 0x0, 0x401, 0x1, 0x3, 0x100000001, 0x6, 0x5, 0x0, 0x906, 0x0, 0x0, 0x9, 0x0, 0xa50, 0x0, 0x3, 0x0, 0x4, 0xf, 0x1000004, 0x8001, 0x0, 0x100, 0x9, 0xf0, 0x0, 0x0, 0x0, 0x6, @perf_bp={0x0, 0x1}, 0x0, 0x7, 0x2e, 0x1, 0x0, 0x0, 0x10000}, 0x0, 0x0, r0, 0x0) clone(0x3002001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r2 = gettid() wait4(r1, 0x0, 0x800000080000000, 0x0) ptrace$setopts(0x4206, r2, 0x0, 0x0) tkill(r2, 0x23) ptrace$cont(0x18, r2, 0x0, 0x0) r3 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vfio/vfio\x00', 0x4000, 0x0) r4 = syz_open_dev$swradio(&(0x7f0000000100)='/dev/swradio#\x00', 0x1, 0x2) ioctl$KVM_IOEVENTFD(r3, 0x4040ae79, &(0x7f0000000140)={0x4002, &(0x7f0000000080), 0x2, r4, 0x4}) ptrace$cont(0x18, r2, 0x0, 0x1) ptrace$cont(0x20, r1, 0x9, 0xfffffffffffffffa) ptrace$cont(0x18, r2, 0x0, 0x0) migrate_pages(0x0, 0x7, 0x0, &(0x7f00000001c0)=0x1e) [ 870.563534][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 870.569406][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 870.575253][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 870.581009][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:50:16 executing program 4: openat$pfkey(0xffffffffffffff9c, 0x0, 0x0, 0x0) mlockall(0x400000000007) getresgid(0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mlockall(0x4) [ 870.644809][T22475] ptrace attach of "/root/syz-executor.4"[22474] was attempted by "/root/syz-executor.4"[22475] 07:50:16 executing program 4: perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xee68, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_getattr(0x0, 0x0, 0x0, 0x0) mlockall(0x400000000007) ptrace$getsig(0x4202, 0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mlockall(0x4) [ 870.763839][T31463] binder: undelivered TRANSACTION_ERROR: 29201 [ 870.787665][T31463] binder: release 22443:22452 transaction 1963 out, still active 07:50:16 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(0x0, 0x16) 07:50:16 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$ion(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/ion\x00', 0x0, 0x0) ioctl$ION_IOC_ALLOC(r0, 0xc0184900, &(0x7f00000000c0)={0x7ff, 0x2f, 0x0, 0xffffffffffffffff}) close(r1) 07:50:16 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 870.845932][T31463] binder: undelivered TRANSACTION_ERROR: 29201 [ 870.872163][T22486] binder: 22485:22486 ioctl c018620b 0 returned -14 07:50:16 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:16 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:16 executing program 4: [ 870.900333][T31463] binder: send failed reply for transaction 1963, target dead [ 870.921362][T22492] binder: 22492 RLIMIT_NICE not set [ 870.949403][T22491] binder: 22491 RLIMIT_NICE not set [ 870.958535][T22497] binder: 22496:22497 ioctl c018620b 0 returned -14 [ 870.967603][T22486] binder: 22485:22486 got transaction with invalid offset (0, min 0 max 24) or object. [ 870.973973][T22497] binder: 22497 RLIMIT_NICE not set [ 870.996597][T22501] binder: BINDER_SET_CONTEXT_MGR already set [ 871.002700][T22501] binder: 22490:22501 ioctl 40046207 0 returned -16 [ 871.010854][T22486] binder: 22485:22486 transaction failed 29201/-22, size 24-8 line 3241 [ 871.022130][T22502] binder: 22496:22502 got transaction with invalid offset (0, min 0 max 24) or object. [ 871.032707][T22500] binder: 22499:22500 ioctl c018620b 0 returned -14 07:50:16 executing program 4: [ 871.046469][T22502] binder: 22496:22502 transaction failed 29201/-22, size 24-8 line 3241 [ 871.049006][T22500] binder: 22500 RLIMIT_NICE not set [ 871.068441][T22504] binder: 22496:22504 BC_INCREFS_DONE u0000000000000000 no match [ 871.088319][T22486] binder: 22485:22486 BC_INCREFS_DONE u0000000000000000 no match 07:50:16 executing program 4: 07:50:16 executing program 4: [ 871.096779][T22506] binder: 22499:22506 got transaction with invalid offset (0, min 0 max 24) or object. [ 871.114687][ T7675] binder: release 22490:22501 transaction 1972 out, still active [ 871.133738][T22506] binder: 22499:22506 transaction failed 29201/-22, size 24-8 line 3241 07:50:16 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 871.159410][T22508] binder: 22499:22508 BC_INCREFS_DONE u0000000000000000 no match [ 871.183382][T31463] binder: send failed reply for transaction 1972, target dead [ 871.240010][T22515] binder: 22511:22515 ioctl c018620b 0 returned -14 [ 871.249182][T22514] binder: 22514 RLIMIT_NICE not set [ 871.258477][T22515] binder: 22515 RLIMIT_NICE not set [ 871.304827][T22517] binder: BINDER_SET_CONTEXT_MGR already set [ 871.317651][T22517] binder: 22511:22517 ioctl 40046207 0 returned -16 [ 871.328868][T22517] binder: 22511:22517 got transaction with invalid offset (0, min 0 max 24) or object. [ 871.342318][T22517] binder: 22511:22517 transaction failed 29201/-22, size 24-8 line 3241 [ 871.365701][T22517] binder: 22511:22517 BC_INCREFS_DONE u0000000000000000 no match [ 871.378128][T22517] binder: 22511:22517 Release 1 refcount change on invalid ref 1 ret -22 07:50:17 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:50:17 executing program 4: 07:50:17 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:17 executing program 4: 07:50:17 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:17 executing program 4: [ 871.824069][T22524] binder: 22523:22524 ioctl c018620b 0 returned -14 07:50:17 executing program 4: 07:50:17 executing program 4: [ 871.885732][T22528] binder: 22523:22528 got transaction with invalid offset (0, min 0 max 24) or object. [ 871.902088][T22530] binder: 22529:22530 ioctl c018620b 0 returned -14 [ 871.902322][T22528] binder: 22523:22528 transaction failed 29201/-22, size 24-8 line 3241 07:50:17 executing program 4: [ 871.947709][T22528] binder: 22523:22528 BC_INCREFS_DONE u0000000000000000 no match [ 871.960736][T22532] binder: 22529:22532 BC_INCREFS_DONE u0000000000000000 no match 07:50:17 executing program 4: 07:50:17 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:17 executing program 4: [ 872.033803][ T7675] binder: release 22513:22516 transaction 1977 out, still active [ 872.060134][T31463] binder: send failed reply for transaction 1977, target dead [ 872.082290][T31463] binder: send failed reply for transaction 1982 to 22529:22532 [ 872.708292][T31463] binder: undelivered TRANSACTION_COMPLETE [ 872.715660][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 872.926664][ T7675] binder: release 22539:22541 transaction 1984 out, still active [ 872.938319][T31463] binder: send failed reply for transaction 1984, target dead 07:50:20 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:50:20 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:20 executing program 4: 07:50:20 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:20 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:20 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:20 executing program 4: 07:50:20 executing program 4: 07:50:20 executing program 4: [ 874.818323][T22546] binder: 22545:22546 ioctl c018620b 0 returned -14 [ 874.821025][T22552] binder: 22550:22552 ioctl c018620b 0 returned -14 [ 874.837758][T22553] binder: 22551:22553 ioctl c018620b 0 returned -14 07:50:20 executing program 4: [ 874.882800][T22560] binder: BINDER_SET_CONTEXT_MGR already set [ 874.889299][T22560] binder: 22545:22560 ioctl 40046207 0 returned -16 [ 874.896088][T22561] binder: 22550:22561 BC_INCREFS_DONE u0000000000000000 no match [ 874.904491][T22563] binder: 22551:22563 got transaction with invalid offset (0, min 0 max 24) or object. [ 874.915236][T22563] binder: 22551:22563 transaction failed 29201/-22, size 24-8 line 3241 07:50:20 executing program 4: 07:50:20 executing program 4: [ 874.924356][T22560] binder: 22545:22560 got transaction with invalid offset (0, min 0 max 24) or object. [ 874.935370][T22563] binder: 22551:22563 BC_INCREFS_DONE u0000000000000000 no match [ 874.943677][T22560] binder: 22545:22560 transaction failed 29201/-22, size 24-8 line 3241 [ 874.952862][T22560] binder: 22545:22560 BC_INCREFS_DONE u0000000000000000 no match [ 874.961495][T22560] binder: 22545:22560 Release 1 refcount change on invalid ref 1 ret -22 [ 875.611017][T31463] binder: release 22548:22557 transaction 1988 out, still active [ 875.631635][T31463] binder: release 22550:22561 transaction 1991 out, still active [ 875.657610][T31463] binder: undelivered TRANSACTION_COMPLETE [ 875.676436][T31463] binder: send failed reply for transaction 1988, target dead [ 875.695370][T31463] binder: send failed reply for transaction 1991, target dead [ 876.083462][ C1] net_ratelimit: 20 callbacks suppressed [ 876.083470][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 876.095017][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 876.100781][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 876.106558][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 876.112310][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 876.118081][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 876.793512][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 876.799333][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 876.805124][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 876.810884][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:50:23 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) prlimit64(r0, 0x4, 0x0, &(0x7f0000000080)) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:50:23 executing program 4: 07:50:23 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:23 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:23 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:23 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:23 executing program 4: [ 877.862693][T22574] binder: 22573:22574 ioctl c018620b 0 returned -14 [ 877.877034][T22577] binder_set_nice: 7 callbacks suppressed [ 877.877041][T22577] binder: 22577 RLIMIT_NICE not set [ 877.877905][T22579] binder: 22572:22579 ioctl c018620b 0 returned -14 [ 877.898338][T22574] binder: 22574 RLIMIT_NICE not set [ 877.906181][T22579] binder: 22579 RLIMIT_NICE not set 07:50:23 executing program 4: 07:50:23 executing program 4: [ 877.911626][T22578] binder: 22575:22578 ioctl c018620b 0 returned -14 [ 877.918665][T22578] binder: 22578 RLIMIT_NICE not set [ 877.944755][T22585] binder: 22573:22585 BC_INCREFS_DONE u0000000000000000 no match [ 877.954841][T22587] binder: BINDER_SET_CONTEXT_MGR already set 07:50:23 executing program 4: 07:50:23 executing program 4: 07:50:23 executing program 4: [ 877.960997][T22587] binder: 22572:22587 ioctl 40046207 0 returned -16 [ 877.968755][T22589] binder: 22575:22589 BC_INCREFS_DONE u0000000000000000 no match [ 877.977076][T22587] binder: 22572:22587 BC_INCREFS_DONE u0000000000000000 no match [ 877.987049][T22587] binder: 22572:22587 Release 1 refcount change on invalid ref 1 ret -22 [ 878.653874][T31463] binder: release 22572:22587 transaction 2000 out, still active [ 878.682713][T31463] binder: undelivered TRANSACTION_COMPLETE [ 878.729142][T31463] binder: release 22575:22589 transaction 1999 out, still active [ 878.738791][T31463] binder: undelivered TRANSACTION_COMPLETE [ 878.750216][T31463] binder: send failed reply for transaction 1995 to 22576:22583 [ 878.757960][T31463] binder: send failed reply for transaction 1998 to 22573:22585 [ 878.765744][T31463] binder: send failed reply for transaction 1999, target dead [ 878.773249][T31463] binder: send failed reply for transaction 2000, target dead [ 878.781199][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 878.787498][T31463] binder: undelivered TRANSACTION_COMPLETE [ 878.793314][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:50:26 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:50:26 executing program 4: 07:50:26 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:26 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:26 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:26 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:26 executing program 4: 07:50:26 executing program 4: [ 880.932346][T22604] binder: 22601:22604 ioctl c018620b 0 returned -14 [ 880.947099][T22603] binder: 22602:22603 ioctl c018620b 0 returned -14 [ 880.948278][T22600] binder: 22600 RLIMIT_NICE not set [ 880.959303][T22604] binder: 22604 RLIMIT_NICE not set [ 880.965664][T22603] binder: 22603 RLIMIT_NICE not set [ 880.971572][T22607] binder: 22605:22607 ioctl c018620b 0 returned -14 [ 880.984780][T22607] binder: 22607 RLIMIT_NICE not set 07:50:26 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r0, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r0, 0xa, 0x12) recvmsg(r1, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r0, r1) r2 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r2, 0x16) 07:50:26 executing program 4: [ 881.005763][T22612] binder: BINDER_SET_CONTEXT_MGR already set [ 881.017605][T22613] binder: 22602:22613 BC_INCREFS_DONE u0000000000000000 no match [ 881.024812][T22612] binder: 22601:22612 ioctl 40046207 0 returned -16 [ 881.032631][T22615] binder: 22605:22615 BC_INCREFS_DONE u0000000000000000 no match [ 881.038810][T22612] binder: 22601:22612 BC_INCREFS_DONE u0000000000000000 no match 07:50:26 executing program 4: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.cpu\x00', 0x200002, 0x0) fchdir(r0) r1 = creat(&(0x7f0000000200)='./bus\x00', 0x0) ioctl$FS_IOC_FIEMAP(r1, 0xc020660b, &(0x7f0000000340)={0x0, 0x4000000000000a, 0x100000003, 0x0, 0x1, [{}]}) [ 881.050800][T22612] binder: 22601:22612 Release 1 refcount change on invalid ref 1 ret -22 07:50:26 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000003c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) r4 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x0, 0x0) syz_kvm_setup_cpu$x86(r4, r3, &(0x7f0000000000/0x18000)=nil, 0x0, 0xff7e, 0x0, 0x0, 0x0) 07:50:26 executing program 4: r0 = socket$inet6_udp(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000700)={0xa, 0x0, 0x0, @dev, 0x3}, 0x1c) r1 = socket$l2tp(0x18, 0x1, 0x1) connect$l2tp(r1, &(0x7f0000000180)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x0, @multicast2}, 0x4}}, 0x26) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000001c0)={{{@in6=@local, @in, 0x4, 0x0, 0x0, 0x0, 0xa}, {0x0, 0x0, 0xb74}, {0xfffffffffffffffc}, 0x0, 0x0, 0x1}, {{@in, 0x0, 0x33}, 0x0, @in6=@mcast2, 0x0, 0x1, 0x0, 0x0, 0xfffffffffffffffe}}, 0xe8) sendmmsg(r1, &(0x7f0000005fc0), 0x800000000000059, 0x0) 07:50:26 executing program 4: r0 = dup2(0xffffffffffffffff, 0xffffffffffffffff) setsockopt$sock_attach_bpf(0xffffffffffffffff, 0x1, 0x32, &(0x7f0000000000)=r0, 0x4) setsockopt$inet6_tcp_int(0xffffffffffffffff, 0x6, 0x200000000000013, &(0x7f0000000280)=0x400100000001, 0x4) creat(&(0x7f0000000040)='./file0\x00', 0x0) getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, 0x0, &(0x7f0000000300)) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x10, 0x0, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_ENABLE_CAP(r2, 0x4068aea3, &(0x7f0000000480)={0x79}) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r3, &(0x7f0000fe1000/0x18000)=nil, 0x0, 0x179, 0x0, 0x0, 0xffffffffffffff9a) ioctl$KVM_SET_LAPIC(r3, 0x4400ae8f, &(0x7f0000001940)={"a523fb9656eb871ffcd7ffeb51d84e738a55eba841ae487e33cdd921e8a51ce6c924020f0ac3562dd8cdeb31deac16f46da4ac16ee8165bce439eddce671c5b0a1103ea3f86a43cbb78504f6f9c77c2f09dc27632ec6036ee52a87e321e707c0cfe15576c26d52d0334c8d4693e127b3a046a5ed7796c9c5017cfd58ec871ed76369846fea9ebfa2f7f96496abf4ef57ed1ecd930eb9e13396875f01e932804ffe8a34c8fbedd97cdfb3176ec59fbbfd20a6ff17795431c341a35eb0f5f703480a5211cc6a7e2084e4a9b6aedf60b7b8084b00ca2cbed255b4cc4679c967432fea5e95119f9635e94794aab6ef54f290677fa08d0ee2cc8eae468efd02417055d3f3ccc86b629dfb878c4d115c16c75fe352cffa93648cf49577256b5d2faf0634335c97ffff966ae90cbf81250df3613c25d2789c869c9cc95a6e9d364c4c684059c593f9950e66cf81cd9f36d73fade4f0cbb795010364d13ff32c12efd91d0ebb6533700945f2db6113a630bd521eec89a74c46e1733b72d6e4d2ccee3b40f99809a9a4fb5fc2d1c53e1366d455bcbe81893100ab56b2556b55c1a0c5787356b464c3bf7011488e55f587a6d4420d46d69a74ee5bbfbcb0d6cb00aae8c3dfd6dd2e9f76d7a542f20553207b668dce69f1b463ee9166e81bb109f461b8885f15c9e525d72260ccdbd69e3345612158114380b9409ea856cb724faa6ed27ba836b35c10e7c7d43f2fa34f98f16a00f31565e16a213eaf4a7f438c89733ebe6d16328b930fd942bc64d631dd1f2aa1cc2ccdaff2324076c83e1ba4d2a0e40e010c96b42e7a4a76cd7a89ef592b9b3030f62d9fbd565ee5908ab90b42620b61e5d1e08621a31d21003cd12a450461636472fa64a7e1b98778bfb482fb4b4da31b42ee98b10f9c0f4c085d08c37ee2e3a9e4a5aff72a0ab844fcbfa224842c85f6cdfd25829c44760e3859624f891df4824f7d17938ac2dee1412cf3083e1d5ee2d29b63267ccba535409da7bef05d3fa79a3ef037ee609e01ad345ee17f48b5e8510f767de35df4dfb856f7533ad88866c6b01fe345107ba7191a8809e2e014492acf9c4f35cad664198a65c55f884490f4b30b4526324be842c393f336f16bea2bf6c6b917fdb751e12ff689ab4ffa44625a8b2bc1de4e88682abe5ce9d1942792747681ad23c31046d825140987f19a9cf10323c3f50a20f35a6d1dd8ca6758296b4537a0da1a853011b777623c8774b3689897cf9264a7782470847f36a8093f04000000663438ab39d8a777fb3e10cb4a2402a939a98d387087c5ca5fd8fbc4d96ae698b5bb84a0a8484e2b85743e623a033eb5b1889ccfb4b95885bc69d4c1cb819b95e7923e557c9ec9ec10e94d1e1295fc2f256fa095036f6cfc04c414fc57fc72c120614a586089c93741e97a61c46600"}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfe2f) ioctl$KVM_SET_PIT2(0xffffffffffffffff, 0x4070aea0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffffff, 0x84, 0xa, &(0x7f0000000340)={0x5, 0x8, 0x6, 0x1, 0x4, 0x0, 0x5}, 0x0) 07:50:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:27 executing program 4: futex(&(0x7f000000cffc), 0x800000000005, 0x0, 0x0, 0x0, 0xfffffffffffffffe) 07:50:27 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 881.719621][ T7675] binder: release 22599:22610 transaction 2002 out, still active [ 881.748480][ T7675] binder: release 22605:22615 transaction 2006 out, still active 07:50:27 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:27 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 881.783939][ T7675] binder: undelivered TRANSACTION_COMPLETE [ 881.816494][ T7675] binder: send failed reply for transaction 2002, target dead 07:50:27 executing program 4: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 881.839498][T22637] binder: 22637 RLIMIT_NICE not set [ 881.846712][T22640] binder: 22638:22640 ioctl c018620b 0 returned -14 [ 881.860869][ T7675] binder: send failed reply for transaction 2005 to 22602:22613 [ 881.871674][T22643] binder: 22641:22643 ioctl c018620b 0 returned -14 [ 881.874553][ T7675] binder: send failed reply for transaction 2006, target dead [ 881.886716][T22644] binder: 22642:22644 ioctl c018620b 0 returned -14 [ 881.889569][T22640] binder: 22640 RLIMIT_NICE not set [ 881.896299][T22646] binder: 22645:22646 ioctl c018620b 0 returned -14 [ 881.900851][ T7675] binder: send failed reply for transaction 2007 to 22601:22612 [ 881.916833][ T7675] binder: undelivered TRANSACTION_COMPLETE [ 881.922676][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 [ 881.929056][ T7675] binder: undelivered TRANSACTION_COMPLETE [ 881.938958][T22648] binder: BINDER_SET_CONTEXT_MGR already set [ 881.938966][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 [ 881.951371][T22648] binder: 22638:22648 ioctl 40046207 0 returned -16 [ 881.951671][T22649] binder: 22641:22649 BC_INCREFS_DONE u0000000000000000 no match [ 881.958633][T22650] binder: 22645:22650 got transaction with invalid offset (0, min 0 max 24) or object. [ 881.976005][T22650] binder: 22645:22650 transaction failed 29201/-22, size 24-8 line 3241 [ 881.983616][T22648] binder: 22638:22648 BC_INCREFS_DONE u0000000000000000 no match [ 881.984642][T22651] binder: 22642:22651 BC_INCREFS_DONE u0000000000000000 no match [ 881.992872][T22648] binder: 22638:22648 Release 1 refcount change on invalid ref 1 ret -22 [ 882.014163][T22650] binder: 22645:22650 BC_INCREFS_DONE u0000000000000000 no match [ 882.313475][ C1] net_ratelimit: 20 callbacks suppressed [ 882.313481][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 882.326654][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 882.332460][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 882.338246][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 882.344059][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 882.349797][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 882.623671][T31463] binder: release 22636:22647 transaction 2009 out, still active [ 882.631605][T31463] binder: release 22638:22648 transaction 2014 out, still active [ 882.650855][T31463] binder: undelivered TRANSACTION_COMPLETE [ 882.706940][T31463] binder: release 22642:22651 transaction 2015 out, still active [ 882.721722][T31463] binder: undelivered TRANSACTION_COMPLETE [ 882.732092][T31463] binder: release 22641:22649 transaction 2012 out, still active [ 882.750678][T31463] binder: undelivered TRANSACTION_COMPLETE [ 882.756958][T31463] binder: send failed reply for transaction 2009, target dead [ 882.771182][T31463] binder: send failed reply for transaction 2012, target dead [ 882.778768][T31463] binder: send failed reply for transaction 2014, target dead [ 882.786269][T31463] binder: send failed reply for transaction 2015, target dead [ 883.033528][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 883.039359][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 883.045187][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 883.050924][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:50:29 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r0, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r0, 0xa, 0x12) recvmsg(r1, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r0, r1) r2 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r2, 0x16) 07:50:29 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:29 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:29 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:29 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 884.061484][T22660] binder: 22659:22660 ioctl c018620b 0 returned -14 [ 884.071859][T22664] binder: 22661:22664 ioctl c018620b 0 returned -14 [ 884.076275][T22662] binder_set_nice: 3 callbacks suppressed [ 884.076282][T22662] binder: 22662 RLIMIT_NICE not set [ 884.082126][T22658] binder: 22658 RLIMIT_NICE not set [ 884.087173][T22665] binder: 22663:22665 ioctl c018620b 0 returned -14 [ 884.093111][T22660] binder: 22660 RLIMIT_NICE not set [ 884.101880][T22665] binder: 22665 RLIMIT_NICE not set [ 884.109350][T22664] binder: 22664 RLIMIT_NICE not set [ 884.128339][T22669] binder: BINDER_SET_CONTEXT_MGR already set [ 884.134610][T22669] binder: 22656:22669 ioctl 40046207 0 returned -16 [ 884.141833][T22670] binder: 22659:22670 BC_INCREFS_DONE u0000000000000000 no match [ 884.150281][T22671] binder: BINDER_SET_CONTEXT_MGR already set [ 884.157112][T22671] binder: 22663:22671 ioctl 40046207 0 returned -16 [ 884.157230][T22672] binder: 22661:22672 BC_INCREFS_DONE u0000000000000000 no match [ 884.167326][T22671] binder: 22663:22671 BC_INCREFS_DONE u0000000000000000 no match [ 884.180146][T22671] binder: 22663:22671 Release 1 refcount change on invalid ref 1 ret -22 07:50:30 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:30 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 884.863597][T31463] binder: release 22659:22670 transaction 2020 out, still active [ 884.897230][T22676] binder: 22675:22676 ioctl c018620b 0 returned -14 07:50:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:30 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:30 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 884.913493][T31463] binder: undelivered TRANSACTION_COMPLETE [ 884.928782][T31463] binder: release 22657:22668 transaction 2017 out, still active [ 884.968465][T31463] binder: send failed reply for transaction 2017, target dead [ 884.978436][T22682] binder: 22678:22682 ioctl c018620b 0 returned -14 [ 884.992474][T22688] binder: 22688 RLIMIT_NICE not set [ 884.999650][T22686] binder: 22684:22686 ioctl c018620b 0 returned -14 [ 885.002920][T22687] binder: 22687 RLIMIT_NICE not set [ 885.011614][T31463] binder: send failed reply for transaction 2020, target dead [ 885.020099][T22676] binder: 22675:22676 transaction failed 29189/-22, size 24-8 line 2994 [ 885.028605][T31463] binder: send failed reply for transaction 2021 to 22656:22669 [ 885.036498][T22689] binder: 22689 RLIMIT_NICE not set [ 885.040776][T22686] binder: 22686 RLIMIT_NICE not set [ 885.041881][T31463] binder: send failed reply for transaction 2024 to 22661:22672 [ 885.052426][T22683] binder: 22683 RLIMIT_NICE not set [ 885.060333][T22682] binder: BINDER_SET_CONTEXT_MGR already set 07:50:30 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 885.062423][T31463] binder: send failed reply for transaction 2025 to 22663:22671 [ 885.069139][T22682] binder: 22678:22682 ioctl 40046207 0 returned -16 [ 885.081549][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 885.085134][T22682] binder: 22678:22682 BC_INCREFS_DONE u0000000000000000 no match [ 885.088772][T31463] binder: undelivered TRANSACTION_COMPLETE [ 885.101577][T22692] binder: BINDER_SET_CONTEXT_MGR already set [ 885.104639][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 885.121580][T22692] binder: 22681:22692 ioctl 40046207 0 returned -16 [ 885.121728][T31463] binder: undelivered TRANSACTION_COMPLETE [ 885.134278][T22691] binder: 22684:22691 BC_INCREFS_DONE u0000000000000000 no match [ 885.140286][T22682] binder: 22678:22682 Release 1 refcount change on invalid ref 1 ret -22 [ 885.157515][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 885.161940][T22695] binder: 22694:22695 ioctl c018620b 0 returned -14 [ 885.173546][T31463] binder: release 22678:22682 transaction 2031 out, still active [ 885.181302][T31463] binder: undelivered TRANSACTION_COMPLETE [ 885.187512][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 885.217804][T22697] binder: 22694:22697 BC_INCREFS_DONE node 2037 has no pending increfs request [ 885.783511][ T7675] binder: release 22681:22692 transaction 2033 out, still active [ 885.803463][ T7675] binder: release 22684:22691 transaction 2032 out, still active [ 885.811338][ T7675] binder: undelivered TRANSACTION_COMPLETE [ 885.817479][ T7675] binder: release 22685:22690 transaction 2028 out, still active [ 885.839713][T31463] binder: send failed reply for transaction 2028, target dead [ 885.849578][T31463] binder: send failed reply for transaction 2031, target dead [ 885.861936][T31463] binder: send failed reply for transaction 2032, target dead [ 885.869905][T31463] binder: send failed reply for transaction 2033, target dead [ 885.877774][T31463] binder: send failed reply for transaction 2036 to 22694:22697 [ 885.952507][T31463] binder: undelivered TRANSACTION_COMPLETE [ 885.958478][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:50:32 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r0, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r0, 0xa, 0x12) recvmsg(r1, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r0, r1) r2 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r2, 0x16) 07:50:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:32 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:32 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:32 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:32 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 887.125737][T22705] binder: 22703:22705 ioctl c018620b 0 returned -14 [ 887.131582][T22710] binder: 22707:22710 ioctl c018620b 0 returned -14 [ 887.141627][T22709] binder: 22702:22709 ioctl c018620b 0 returned -14 [ 887.193651][T22714] binder: BINDER_SET_CONTEXT_MGR already set [ 887.200501][T22714] binder: 22707:22714 ioctl 40046207 0 returned -16 [ 887.202151][T22716] binder: 22702:22716 BC_INCREFS_DONE node 2045 has no pending increfs request [ 887.207433][T22715] binder: BINDER_SET_CONTEXT_MGR already set [ 887.207458][T22715] binder: 22706:22715 ioctl 40046207 0 returned -16 [ 887.208742][T22714] binder: 22707:22714 BC_INCREFS_DONE u0000000000000000 no match [ 887.217036][T22717] binder: 22703:22717 BC_INCREFS_DONE u0000000000000000 no match [ 887.224875][T22714] binder: 22707:22714 Release 1 refcount change on invalid ref 1 ret -22 07:50:33 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 887.923926][ T7675] binder: release 22706:22715 transaction 2048 out, still active [ 887.931766][ T7675] binder: release 22702:22716 transaction 2043 out, still active 07:50:33 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:33 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:33 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:33 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 887.989780][ T7675] binder: unexpected work type, 4, not freed [ 888.020581][T22722] binder: 22720:22722 ioctl c018620b 0 returned -14 [ 888.038293][ T7675] binder: undelivered TRANSACTION_COMPLETE [ 888.057746][ T7675] binder: release 22707:22714 transaction 2047 out, still active [ 888.062066][T22730] binder: 22725:22730 ioctl c018620b 0 returned -14 [ 888.082664][T22732] binder: 22727:22732 ioctl c018620b 0 returned -14 [ 888.089544][T22733] binder_alloc: 22701: binder_alloc_buf, no vma [ 888.092728][ T7675] binder: undelivered TRANSACTION_COMPLETE [ 888.097256][T22733] binder: 22720:22733 transaction failed 29189/-3, size 24-8 line 3147 [ 888.110727][ T7675] binder: release 22703:22717 transaction 2044 out, still active [ 888.118650][ T7675] binder: undelivered TRANSACTION_COMPLETE [ 888.121548][T22734] binder: BINDER_SET_CONTEXT_MGR already set [ 888.131493][T22734] binder: 22728:22734 ioctl 40046207 0 returned -16 [ 888.131654][T22735] binder: 22725:22735 transaction failed 29189/-22, size 24-8 line 2994 [ 888.140038][T22734] binder: 22728:22734 transaction failed 29189/-22, size 24-8 line 2994 [ 888.149264][ T7675] binder: send failed reply for transaction 2040 to 22701:22713 [ 888.159437][T22734] binder: 22728:22734 BC_INCREFS_DONE u0000000000000000 no match [ 888.163999][ T7675] binder: send failed reply for transaction 2043, target dead [ 888.178250][T22737] binder: BINDER_SET_CONTEXT_MGR already set [ 888.188451][T22737] binder: 22727:22737 ioctl 40046207 0 returned -16 [ 888.188459][T22738] binder: 22725:22738 BC_INCREFS_DONE u0000000000000000 no match [ 888.202875][ T7675] binder: send failed reply for transaction 2047, target dead [ 888.214460][ T7675] binder: send failed reply for transaction 2044, target dead [ 888.214802][T22737] binder: 22727:22737 BC_INCREFS_DONE node 2059 has no pending increfs request [ 888.221964][ T7675] binder: send failed reply for transaction 2048, target dead [ 888.222045][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 [ 888.233560][T22737] binder: 22727:22737 Release 1 refcount change on invalid ref 1 ret -22 [ 888.553477][ C1] net_ratelimit: 20 callbacks suppressed [ 888.553484][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 888.565051][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 888.570853][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 888.576716][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 888.582493][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 888.588283][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:50:34 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 888.818411][T22741] binder: 22740:22741 ioctl c018620b 0 returned -14 [ 888.848782][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 888.881161][ T7675] binder: unexpected work type, 4, not freed [ 888.887416][ T7675] binder: undelivered TRANSACTION_COMPLETE [ 888.923028][ T7675] binder: send failed reply for transaction 2061 to 22740:22742 [ 889.273487][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 889.279305][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 889.285136][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 889.290895][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 889.611313][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 07:50:35 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:50:35 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:35 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:35 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:35 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 890.188408][T22752] binder: 22747:22752 ioctl c018620b 0 returned -14 [ 890.192429][T22756] binder: 22748:22756 ioctl c018620b 0 returned -14 [ 890.202987][T22755] binder: 22749:22755 ioctl c018620b 0 returned -14 [ 890.205403][T22754] binder_set_nice: 12 callbacks suppressed [ 890.205409][T22754] binder: 22754 RLIMIT_NICE not set [ 890.210532][T22752] binder: 22752 RLIMIT_NICE not set [ 890.221718][T22756] binder: 22756 RLIMIT_NICE not set [ 890.230860][T22755] binder: 22755 RLIMIT_NICE not set 07:50:36 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) [ 890.251741][T22753] binder: 22753 RLIMIT_NICE not set [ 890.259792][T22753] binder: BINDER_SET_CONTEXT_MGR already set [ 890.266482][T22753] binder: 22751:22753 ioctl 40046207 0 returned -16 [ 890.269394][T22761] binder: BINDER_SET_CONTEXT_MGR already set [ 890.280496][T22761] binder: 22748:22761 ioctl 40046207 0 returned -16 [ 890.280859][T22763] binder: 22749:22763 BC_INCREFS_DONE node 2072 has no pending increfs request 07:50:36 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) [ 890.312472][T22761] binder: 22748:22761 BC_INCREFS_DONE node 2078 has no pending increfs request [ 890.322172][T22761] binder: 22748:22761 Release 1 refcount change on invalid ref 1 ret -22 [ 890.350429][T22766] binder: 22751:22766 BC_INCREFS_DONE node 2075 has no pending increfs request 07:50:36 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:50:36 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:36 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 890.979227][T31463] binder_thread_release: 2 callbacks suppressed [ 890.979239][T31463] binder: release 22747:22760 transaction 2065 out, still active 07:50:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:36 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:36 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r2, &(0x7f0000000040), 0x0, 0x1}, 0x20) r3 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r4 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r5, 0x0) ioctl$KVM_SET_TSS_ADDR(r3, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000000100)={r6}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 891.039639][T31463] binder: release 22748:22761 transaction 2077 out, still active [ 891.095256][T31463] binder: unexpected work type, 4, not freed [ 891.120956][T22783] binder: 22781:22783 ioctl c018620b 0 returned -14 [ 891.125826][T22784] binder: 22780:22784 ioctl c018620b 0 returned -14 [ 891.138546][T22785] binder: 22782:22785 ioctl c018620b 0 returned -14 [ 891.142171][T31463] binder: undelivered TRANSACTION_COMPLETE [ 891.149896][T22783] binder: 22783 RLIMIT_NICE not set [ 891.151138][T31463] binder: release 22749:22763 transaction 2071 out, still active [ 891.157809][T22785] binder: 22785 RLIMIT_NICE not set [ 891.166088][T22777] binder: 22777 RLIMIT_NICE not set [ 891.177421][T22787] binder: 22787 RLIMIT_NICE not set [ 891.180622][T22777] binder: BINDER_SET_CONTEXT_MGR already set [ 891.182711][T22788] binder: 22788 RLIMIT_NICE not set [ 891.194881][T31463] binder: unexpected work type, 4, not freed [ 891.200990][T31463] binder: undelivered TRANSACTION_COMPLETE [ 891.207080][T22777] binder: 22775:22777 ioctl 40046207 0 returned -16 [ 891.207129][T22789] binder_alloc: 22750: binder_alloc_buf, no vma [ 891.219101][T22789] binder: 22781:22789 transaction failed 29189/-3, size 24-8 line 3147 [ 891.220930][T31463] binder_send_failed_reply: 2 callbacks suppressed [ 891.220949][T31463] binder: send failed reply for transaction 2065, target dead [ 891.230293][T22788] binder: 22780:22788 ioctl c0306201 0 returned -14 [ 891.248959][T31463] binder: send failed reply for transaction 2068 to 22750:22759 [ 891.253969][T22790] binder: BINDER_SET_CONTEXT_MGR already set [ 891.263352][T22790] binder: 22782:22790 ioctl 40046207 0 returned -16 [ 891.263962][T22793] binder: 22782:22793 BC_INCREFS_DONE node 2092 has no pending increfs request [ 891.270736][T22794] binder: 22781:22794 BC_INCREFS_DONE u0000000000000000 no match 07:50:37 executing program 4: syz_open_dev$sndseq(0x0, 0x0, 0x0) mkdir(0x0, 0x0) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 891.293420][T31463] binder: send failed reply for transaction 2071, target dead [ 891.300934][T31463] binder: send failed reply for transaction 2074 to 22751:22753 [ 891.312744][T22790] binder: 22782:22790 Release 1 refcount change on invalid ref 1 ret -22 [ 891.321618][T31463] binder: send failed reply for transaction 2077, target dead [ 891.329271][T31463] binder: release 22775:22792 transaction 2088 out, still active [ 891.337465][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 891.340656][T22797] binder: 22796:22797 ioctl c018620b 0 returned -14 [ 891.343835][T31463] binder: undelivered TRANSACTION_COMPLETE [ 891.356667][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:50:37 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 891.913459][ T7675] binder: release 22780:22784 transaction 2080 out, still active [ 891.921247][ T7675] binder: unexpected work type, 4, not freed 07:50:37 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:37 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 891.957994][ T7675] binder: undelivered TRANSACTION_COMPLETE [ 891.976815][T22802] binder: 22801:22802 ioctl c018620b 0 returned -14 [ 891.991945][T22805] binder: 22803:22805 ioctl c018620b 0 returned -14 [ 892.012821][ T7675] binder: send failed reply for transaction 2083 to 22786:22791 [ 892.019647][T22807] binder: 22806:22807 ioctl c018620b 0 returned -14 [ 892.028821][ T7675] binder: send failed reply for transaction 2080, target dead [ 892.049296][ T7675] binder: send failed reply for transaction 2088, target dead [ 892.061160][ T7675] binder: send failed reply for transaction 2091 to 22782:22793 [ 892.068872][ T7675] binder: send failed reply for transaction 2094 to 22796:22798 [ 892.077404][T22812] binder: 22801:22812 ioctl c0306201 0 returned -14 [ 892.083600][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 [ 892.088497][T22814] binder: BINDER_SET_CONTEXT_MGR already set [ 892.096789][T22814] binder: 22809:22814 ioctl 40046207 0 returned -16 [ 892.096873][ T7675] binder: undelivered TRANSACTION_COMPLETE 07:50:37 executing program 4: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 892.111893][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 [ 892.118312][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 [ 892.143700][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 892.167176][T22816] binder: 22815:22816 ioctl c018620b 0 returned -14 [ 892.773512][T31463] binder: release 22801:22812 transaction 2101 out, still active [ 892.781455][T31463] binder: release 22803:22811 transaction 2098 out, still active [ 892.810014][T31463] binder: send failed reply for transaction 2098, target dead [ 892.855714][T31463] binder: send failed reply for transaction 2101, target dead [ 892.864234][T31463] binder: send failed reply for transaction 2105 to 22809:22814 [ 892.871915][T31463] binder: send failed reply for transaction 2104 to 22806:22813 [ 892.871932][T31463] binder: send failed reply for transaction 2110 to 22815:22817 [ 892.890038][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 892.903489][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 892.909789][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:50:39 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:50:39 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:39 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:39 executing program 4: r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f000001bfc8)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=@newlink={0x30, 0x10, 0x801, 0x0, 0x0, {}, [@IFLA_GROUP={0x8}, @IFLA_PROTO_DOWN={0x8, 0x11}]}, 0x30}}, 0x8) 07:50:39 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:39 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 893.490039][T22827] netlink: 'syz-executor.4': attribute type 17 has an invalid length. [ 893.504243][T22831] binder: 22828:22831 ioctl c018620b 0 returned -14 [ 893.509413][T22832] binder: 22822:22832 ioctl c018620b 0 returned -14 [ 893.519655][T22825] binder: 22824:22825 ioctl c018620b 0 returned -14 [ 893.520748][T22827] IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready 07:50:39 executing program 4: r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f000001bfc8)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=@newlink={0x30, 0x10, 0x801, 0x0, 0x0, {}, [@IFLA_GROUP={0x8}, @IFLA_PROTO_DOWN={0x8, 0x11}]}, 0x30}, 0x1, 0x0, 0x0, 0x4000000000000000}, 0x0) [ 893.568935][T22837] binder: BINDER_SET_CONTEXT_MGR already set [ 893.575186][T22837] binder: 22822:22837 ioctl 40046207 0 returned -16 [ 893.582607][T22838] binder: 22824:22838 ioctl c0306201 0 returned -14 [ 893.596766][T22837] binder: 22822:22837 Release 1 refcount change on invalid ref 1 ret -22 [ 893.605677][T22840] netlink: 'syz-executor.4': attribute type 17 has an invalid length. [ 893.616642][T22840] IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready 07:50:39 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') sendmsg$TIPC_NL_BEARER_ENABLE(0xffffffffffffffff, &(0x7f00000005c0)={&(0x7f00000004c0)={0x10, 0x0, 0x0, 0x8000}, 0xc, &(0x7f0000000600)={&(0x7f0000000780)=ANY=[@ANYBLOB="00022bbd7000fedbdf250300000028000200040004000800020001000000921801000300000008000100c581000008000200ffffffff68000100080003000000000044000400200001000a0067240000000fff020000000000000000000000000001bc070000200002000a004e2200000006fe8000000000000000000000000000aa02000000100001007500400000000000000000000000000000000000"], 0x1}, 0x1, 0x0, 0x0, 0x20000044}, 0x10) [ 893.745409][T22843] binder: BINDER_SET_CONTEXT_MGR already set [ 893.751724][T22843] binder: 22841:22843 ioctl 40046207 0 returned -16 [ 893.767829][T22843] binder: 22841:22843 Release 1 refcount change on invalid ref 1 ret -22 07:50:40 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:40 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:40 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 894.285171][ T7675] binder: release 22824:22838 transaction 2120 out, still active [ 894.313759][ T7675] binder: release 22822:22837 transaction 2123 out, still active [ 894.321590][ T7675] binder: release 22828:22836 transaction 2117 out, still active 07:50:40 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 894.381424][T22848] binder: 22847:22848 ioctl c018620b 0 returned -14 [ 894.403567][ T7675] binder: send failed reply for transaction 2114 to 22829:22834 [ 894.416841][T22851] binder: 22850:22851 ioctl c018620b 0 returned -14 [ 894.421379][ T7675] binder: send failed reply for transaction 2117, target dead [ 894.436864][T22848] binder: 22847:22848 transaction failed 29189/-22, size 24-8 line 2994 [ 894.445198][T22856] binder: 22853:22856 ioctl c018620b 0 returned -14 [ 894.452353][ T7675] binder: send failed reply for transaction 2120, target dead [ 894.460740][ T7675] binder: send failed reply for transaction 2123, target dead [ 894.469348][ T7675] binder: send failed reply for transaction 2126 to 22841:22843 [ 894.478166][ T7675] binder: undelivered TRANSACTION_ERROR: 29189 [ 894.492510][T22858] binder: 22850:22858 transaction failed 29189/-22, size 24-8 line 2994 [ 894.503085][T22860] binder: BINDER_SET_CONTEXT_MGR already set [ 894.512754][T22860] binder: 22852:22860 ioctl 40046207 0 returned -16 [ 894.793467][ C1] net_ratelimit: 20 callbacks suppressed [ 894.793477][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 894.804936][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 894.810716][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 894.816473][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 894.822328][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 894.828083][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 895.513469][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 895.519266][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 895.525093][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 895.530836][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:50:42 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:50:42 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') sendmsg$TIPC_NL_BEARER_ENABLE(0xffffffffffffffff, &(0x7f00000005c0)={&(0x7f00000004c0)={0x10, 0x0, 0x0, 0x8000}, 0xc, &(0x7f0000000600)={&(0x7f0000000780)=ANY=[@ANYBLOB="00022bbd7000fedbdf250300000028000200040004000800020001000000921801000300000008000100c581000008000200ffffffff68000100080003000000000044000400200001000a0067240000000fff020000000000000000000000000001bc070000200002000a004e2200000006fe8000000000000000000000000000aa02000000100001007500400000000000000000000000000000000000"], 0x1}, 0x1, 0x0, 0x0, 0x20000044}, 0x10) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000080), 0xffffffffffffffff) 07:50:42 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:50:42 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:42 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:42 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 896.517081][T22871] binder: 22867:22871 ioctl c018620b 0 returned -14 [ 896.521288][T22870] binder_set_nice: 15 callbacks suppressed [ 896.521294][T22870] binder: 22870 RLIMIT_NICE not set [ 896.531839][T22875] binder: 22865:22875 ioctl c018620b 0 returned -14 [ 896.537498][T22869] binder: 22866:22869 ioctl c018620b 0 returned -14 [ 896.542339][T22875] binder: 22875 RLIMIT_NICE not set [ 896.555811][T22869] binder: 22869 RLIMIT_NICE not set [ 896.562822][T22871] binder: 22871 RLIMIT_NICE not set [ 896.576942][T22872] binder: 22872 RLIMIT_NICE not set [ 896.588625][T22877] binder: BINDER_SET_CONTEXT_MGR already set [ 896.594844][T22877] binder: 22865:22877 ioctl 40046207 0 returned -16 [ 896.603143][T22877] binder: 22865:22877 ioctl c0306201 0 returned -14 [ 896.610301][T22880] binder: 22867:22880 ioctl c0306201 0 returned -14 [ 896.617838][T22877] binder: 22865:22877 Release 1 refcount change on invalid ref 1 ret -22 [ 896.623497][T22881] binder: BINDER_SET_CONTEXT_MGR already set [ 896.633448][T22881] binder: 22864:22881 ioctl 40046207 0 returned -16 [ 896.648760][T22881] binder: 22864:22881 Release 1 refcount change on invalid ref 1 ret -22 07:50:43 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='pids.current\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r0, r1, 0xb, 0x2}, 0x10) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r2 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x4000000, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r3, &(0x7f0000000040), 0x0, 0x1}, 0x20) r4 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r6, 0x0) ioctl$KVM_SET_TSS_ADDR(r4, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000100)={r7}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00') ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') sendmsg$TIPC_NL_BEARER_ENABLE(0xffffffffffffffff, &(0x7f00000005c0)={&(0x7f00000004c0)={0x10, 0x0, 0x0, 0x8000}, 0xc, &(0x7f0000000600)={&(0x7f0000000780)=ANY=[@ANYBLOB="00022bbd7000fedbdf250300000028000200040004000800020001000000921801000300000008000100c581000008000200ffffffff68000100080003000000000044000400200001000a0067240000000fff020000000000000000000000000001bc070000200002000a004e2200000006fe8000000000000000000000000000aa02000000100001007500400000000000000000000000000000000000"], 0x1}, 0x1, 0x0, 0x0, 0x20000044}, 0x10) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000080), 0xffffffffffffffff) [ 897.313961][T31463] binder_thread_release: 2 callbacks suppressed [ 897.313972][T31463] binder: release 22864:22881 transaction 2151 out, still active 07:50:43 executing program 0: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:43 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:43 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:43 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 897.392539][T31463] binder: release 22866:22879 transaction 2142 out, still active [ 897.420284][T31463] binder: release 22867:22880 transaction 2148 out, still active [ 897.421379][T22884] binder: 22884 RLIMIT_NICE not set [ 897.443125][T22890] binder: 22889:22890 ioctl c018620b 0 returned -14 [ 897.455636][T31463] binder: release 22865:22877 transaction 2145 out, still active [ 897.463782][T31463] binder: send failed reply for transaction 2139 to 22868:22876 [ 897.471600][T31463] binder_send_failed_reply: 2 callbacks suppressed [ 897.471606][T31463] binder: send failed reply for transaction 2142, target dead 07:50:43 executing program 4: r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f000001bfc8)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=@newlink={0x30, 0x10, 0x801, 0x0, 0x0, {}, [@IFLA_GROUP={0x8}, @IFLA_PROTO_DOWN={0x8, 0xa}]}, 0x30}}, 0x0) [ 897.493651][T22895] binder: 22895 RLIMIT_NICE not set [ 897.504441][T22896] binder: 22892:22896 ioctl c018620b 0 returned -14 [ 897.520872][T22893] binder: 22891:22893 ioctl c018620b 0 returned -14 [ 897.528458][T22897] binder: 22897 RLIMIT_NICE not set [ 897.536428][T22890] binder_alloc: 22883: binder_alloc_buf, no vma [ 897.538852][T31463] binder: send failed reply for transaction 2145, target dead [ 897.550874][T22896] binder: 22896 RLIMIT_NICE not set [ 897.554457][T22901] IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready [ 897.558854][T22893] binder: 22893 RLIMIT_NICE not set [ 897.563755][T22890] binder: 22889:22890 transaction failed 29189/-3, size 24-8 line 3147 [ 897.571598][T31463] binder: send failed reply for transaction 2148, target dead [ 897.581642][T22901] device bridge_slave_0 left promiscuous mode [ 897.585361][T22902] binder: BINDER_SET_CONTEXT_MGR already set [ 897.591988][T22901] bridge0: port 1(bridge_slave_0) entered disabled state [ 897.603303][T31463] binder: send failed reply for transaction 2151, target dead [ 897.623511][T22902] binder: 22894:22902 ioctl 40046207 0 returned -16 [ 897.623748][T22903] binder_alloc: 22883: binder_alloc_buf, no vma [ 897.630278][T22904] binder: BINDER_SET_CONTEXT_MGR already set [ 897.643254][T22904] binder: 22891:22904 ioctl 40046207 0 returned -16 [ 897.643944][T31463] binder: send failed reply for transaction 2155 to 22883:22898 [ 897.652079][T22904] binder: 22891:22904 transaction failed 29189/-22, size 24-8 line 2994 [ 897.661337][T31463] binder_release_work: 1 callbacks suppressed [ 897.661344][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 897.674174][T22904] binder: 22891:22904 ioctl c0306201 0 returned -14 [ 897.686730][T22901] device bridge_slave_1 left promiscuous mode [ 897.692105][T22905] binder_alloc: 22883: binder_alloc_buf, no vma [ 897.692930][T22902] binder: 22894:22902 BC_INCREFS_DONE u0000000000000000 no match [ 897.701618][T22903] binder: 22892:22903 transaction failed 29189/-3, size 24-8 line 3147 [ 897.707949][T22901] bridge0: port 2(bridge_slave_1) entered disabled state [ 897.718379][T22905] binder: 22894:22905 transaction failed 29189/-3, size 24-8 line 3147 [ 897.732651][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 897.739017][T22904] binder: 22891:22904 Release 1 refcount change on invalid ref 1 ret -22 [ 897.751486][T22907] binder: 22892:22907 ioctl c0306201 0 returned -14 [ 897.765811][T22901] bond0: Releasing backup interface bond_slave_0 [ 897.860786][T22901] bond0: Releasing backup interface bond_slave_1 [ 898.045303][T22901] team0: Port device team_slave_0 removed [ 898.164585][T22901] team0: Port device team_slave_1 removed 07:50:45 executing program 4: r0 = memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) r1 = syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) dup2(r1, r0) write$sndseq(r0, &(0x7f0000000000)=[{0x0, 0xfeffffff00000000, 0x0, 0x0, @tick, {}, {0xfffffffe}, @connect}], 0xffffff76) 07:50:45 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:45 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() ioctl$int_in(0xffffffffffffffff, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(0xffffffffffffffff, 0xa, 0x12) fcntl$setownex(0xffffffffffffffff, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(0xffffffffffffffff, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(0xffffffffffffffff, 0xffffffffffffffff) r1 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r1, 0x16) 07:50:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:45 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:50:45 executing program 0: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:45 executing program 4 (fault-call:7 fault-nth:0): openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 899.551620][T22915] binder: 22914:22915 ioctl c018620b 0 returned -14 [ 899.565110][T22919] binder: 22916:22919 ioctl c018620b 0 returned -14 [ 899.575577][T22920] binder: 22917:22920 ioctl c018620b 0 returned -14 [ 899.594748][T22924] binder: 22923:22924 ioctl c018620b 0 returned -14 [ 899.628597][T22927] binder: BINDER_SET_CONTEXT_MGR already set [ 899.634842][T22927] binder: 22916:22927 ioctl 40046207 0 returned -16 [ 899.642004][T22928] binder: 22917:22928 ioctl c0306201 0 returned -14 [ 899.642539][T22927] binder: 22916:22927 ioctl c0306201 0 returned -14 [ 899.657198][T22927] binder: 22916:22927 Release 1 refcount change on invalid ref 1 ret -22 07:50:46 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 900.350216][T12061] binder: release 22914:22926 transaction 2166 out, still active [ 900.365557][T12061] binder: release 22917:22928 transaction 2169 out, still active [ 900.390131][T12061] binder: release 22916:22927 transaction 2172 out, still active 07:50:46 executing program 0: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:46 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 900.398181][T22924] FAULT_INJECTION: forcing a failure. [ 900.398181][T22924] name fail_futex, interval 1, probability 0, space 0, times 1 [ 900.443157][T12061] binder: release 22923:22929 transaction 2175 out, still active [ 900.459977][T22935] binder: 22934:22935 ioctl c018620b 0 returned -14 [ 900.469457][T22924] CPU: 1 PID: 22924 Comm: syz-executor.4 Not tainted 5.1.0-rc2 #36 [ 900.477364][T22924] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 900.487413][T22924] Call Trace: [ 900.490727][T22924] dump_stack+0x172/0x1f0 [ 900.495062][T22924] should_fail.cold+0xa/0x15 [ 900.497331][T22940] binder: 22939:22940 ioctl c018620b 0 returned -14 [ 900.499828][T22924] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 900.499929][T22924] get_futex_key+0xba3/0x1660 [ 900.499949][T22924] ? unqueue_me_pi+0xc0/0xc0 [ 900.520186][T22937] binder: 22936:22937 ioctl c018620b 0 returned -14 [ 900.521539][T22924] ? __lock_acquire+0x548/0x3fb0 [ 900.521560][T22924] futex_wake+0xf9/0x4d0 [ 900.537444][T22924] ? get_futex_key+0x1660/0x1660 [ 900.542395][T22924] ? __lock_acquire+0x548/0x3fb0 [ 900.547332][T22924] ? __lock_acquire+0x548/0x3fb0 [ 900.552283][T22924] do_futex+0x324/0x1df0 [ 900.556519][T22924] ? __lock_acquire+0x548/0x3fb0 [ 900.561446][T22924] ? __might_fault+0x12b/0x1e0 [ 900.563512][T22942] binder: BINDER_SET_CONTEXT_MGR already set [ 900.566218][T22924] ? exit_robust_list+0x2c0/0x2c0 [ 900.566234][T22924] ? __might_fault+0x12b/0x1e0 [ 900.566249][T22924] ? find_held_lock+0x35/0x130 [ 900.566262][T22924] ? __might_fault+0x12b/0x1e0 [ 900.566281][T22924] ? lock_downgrade+0x880/0x880 [ 900.566373][T22924] mm_release+0x33d/0x490 [ 900.575859][T22942] binder: 22939:22942 ioctl 40046207 0 returned -16 [ 900.577314][T22924] do_exit+0x417/0x2fa0 [ 900.577360][T22924] ? get_signal+0x331/0x1d50 [ 900.588470][T22942] binder_alloc: 22912: binder_alloc_buf, no vma [ 900.591598][T22924] ? find_held_lock+0x35/0x130 [ 900.591615][T22924] ? mm_update_next_owner+0x640/0x640 [ 900.591635][T22924] ? kasan_check_write+0x14/0x20 [ 900.591652][T22924] ? _raw_spin_unlock_irq+0x28/0x90 [ 900.591664][T22924] ? get_signal+0x331/0x1d50 [ 900.591680][T22924] ? _raw_spin_unlock_irq+0x28/0x90 [ 900.599050][T22942] binder: 22939:22942 transaction failed 29189/-3, size 24-8 line 3147 [ 900.600924][T22924] do_group_exit+0x135/0x370 [ 900.600943][T22924] get_signal+0x399/0x1d50 [ 900.600964][T22924] ? rcu_read_lock_sched_held+0x110/0x130 [ 900.600982][T22924] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 900.613290][T22942] binder: 22939:22942 Release 1 refcount change on invalid ref 1 ret -22 [ 900.616312][T22924] do_signal+0x87/0x1940 [ 900.616329][T22924] ? __fget+0x381/0x550 [ 900.616354][T22924] ? setup_sigcontext+0x7d0/0x7d0 [ 900.616370][T22924] ? kick_process+0xef/0x180 [ 900.616385][T22924] ? task_work_add+0x9c/0x110 [ 900.616401][T22924] ? exit_to_usermode_loop+0x43/0x2c0 [ 900.616418][T22924] ? do_fast_syscall_32+0xa9d/0xc98 [ 900.628667][T22947] binder_alloc: 22912: binder_alloc_buf, no vma [ 900.633834][T22924] ? exit_to_usermode_loop+0x43/0x2c0 [ 900.633855][T22924] ? lockdep_hardirqs_on+0x418/0x5d0 [ 900.633871][T22924] ? trace_hardirqs_on+0x67/0x230 [ 900.633886][T22924] exit_to_usermode_loop+0x244/0x2c0 [ 900.633902][T22924] do_fast_syscall_32+0xa9d/0xc98 [ 900.633920][T22924] entry_SYSENTER_compat+0x70/0x7f [ 900.633930][T22924] RIP: 0023:0xf7ff8869 [ 900.633941][T22924] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 07:50:46 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 900.633948][T22924] RSP: 002b:00000000f5df40cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 900.633961][T22924] RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 00000000c0306201 [ 900.633967][T22924] RDX: 0000000020000140 RSI: 0000000000000000 RDI: 0000000000000000 [ 900.633979][T22924] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 900.649282][T22947] binder: 22936:22947 transaction failed 29189/-3, size 24-8 line 3147 [ 900.653815][T22924] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 900.653823][T22924] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 900.655379][T22945] binder: BINDER_SET_CONTEXT_MGR already set [ 900.671771][T22948] binder_alloc: 22912: binder_alloc_buf, no vma [ 900.678553][T12061] binder: send failed reply for transaction 2163 to 22912:22925 [ 900.686631][T22950] binder: 22938:22950 BC_INCREFS_DONE u0000000000000000 no match [ 900.691977][T22946] binder: 22934:22946 transaction failed 29189/-22, size 24-8 line 2994 [ 900.701961][T22948] binder: 22938:22948 transaction failed 29189/-3, size 24-8 line 3147 [ 900.705684][T12061] binder: send failed reply for transaction 2166, target dead [ 900.705700][T12061] binder: send failed reply for transaction 2169, target dead [ 900.705714][T12061] binder: send failed reply for transaction 2172, target dead [ 900.705732][T12061] binder: send failed reply for transaction 2175, target dead [ 900.737104][T22945] binder: 22938:22945 ioctl 40046207 0 returned -16 [ 900.738825][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 900.855610][T22952] binder: 22951:22952 ioctl c018620b 0 returned -14 07:50:46 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x2, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 900.954822][T22952] binder: 22951:22952 transaction failed 29189/-22, size 24-8 line 2994 [ 900.966994][T22952] binder: 22951:22952 BC_INCREFS_DONE u0000000000000000 no match [ 901.009183][T22955] binder: 22954:22955 ioctl c018620b 0 returned -14 [ 901.016501][T22955] binder: 22954:22955 ioctl 2 20000140 returned -22 [ 901.027206][T22955] binder: 22954:22955 transaction failed 29189/-22, size 24-8 line 2994 [ 901.036364][T22955] binder: 22954:22955 BC_INCREFS_DONE u0000000000000000 no match [ 901.043499][ C1] net_ratelimit: 20 callbacks suppressed [ 901.043507][ C1] protocol 88fb is buggy, dev hsr_slave_0 07:50:46 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x541b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 901.048217][T22956] binder: 22954:22956 ioctl c018620b 0 returned -14 [ 901.049830][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 901.056110][T22955] binder: 22954:22955 ioctl 2 20000140 returned -22 [ 901.062354][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 901.069557][T22957] binder: 22954:22957 transaction failed 29189/-22, size 24-8 line 2994 [ 901.074682][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 901.074765][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 901.100259][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 901.118406][T22959] binder: 22958:22959 ioctl c018620b 0 returned -14 [ 901.127719][T22959] binder: 22958:22959 ioctl 541b 20000140 returned -22 [ 901.135481][T22959] binder: 22958:22959 transaction failed 29189/-22, size 24-8 line 2994 [ 901.147803][T22959] binder: 22958:22959 BC_INCREFS_DONE u0000000000000000 no match [ 901.158254][T22960] binder: 22958:22960 ioctl c018620b 0 returned -14 [ 901.165651][T22961] binder: 22958:22961 transaction failed 29189/-22, size 24-8 line 2994 [ 901.170202][T22959] binder: 22958:22959 ioctl 541b 20000140 returned -22 [ 901.174253][T22960] binder: 22958:22960 BC_INCREFS_DONE u0000000000000000 no match [ 901.753520][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 901.759386][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 901.765222][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 901.770955][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:50:48 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() ioctl$int_in(0xffffffffffffffff, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(0xffffffffffffffff, 0xa, 0x12) fcntl$setownex(0xffffffffffffffff, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(0xffffffffffffffff, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(0xffffffffffffffff, 0xffffffffffffffff) r1 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r1, 0x16) 07:50:48 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5421, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:50:48 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:48 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) 07:50:48 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:48 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 902.596080][T22967] binder: 22966:22967 ioctl c018620b 0 returned -14 [ 902.605670][T22971] binder: 22968:22971 ioctl c018620b 0 returned -14 [ 902.617559][T22975] binder: 22974:22975 ioctl c018620b 0 returned -14 [ 902.618708][T22971] binder_set_nice: 10 callbacks suppressed [ 902.618815][T22971] binder: 22971 RLIMIT_NICE not set [ 902.629999][T22967] binder: 22966:22967 transaction failed 29189/-22, size 24-8 line 2994 07:50:48 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5450, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 902.639381][T22973] binder: 22973 RLIMIT_NICE not set [ 902.646206][T22975] binder: 22975 RLIMIT_NICE not set [ 902.651274][T22972] binder: 22969:22972 ioctl c018620b 0 returned -14 [ 902.657775][T22967] binder: 22966:22967 BC_INCREFS_DONE u0000000000000000 no match [ 902.668517][T22972] binder: 22972 RLIMIT_NICE not set [ 902.674118][T22979] binder: 22966:22979 ioctl c018620b 0 returned -14 [ 902.682286][T22967] binder: 22966:22967 BC_INCREFS_DONE u0000000000000000 no match [ 902.714899][T22984] binder: BINDER_SET_CONTEXT_MGR already set [ 902.721094][T22984] binder: 22969:22984 ioctl 40046207 0 returned -16 [ 902.729180][T22983] binder: 22982:22983 ioctl c018620b 0 returned -14 [ 902.729496][T22984] binder: 22969:22984 Release 1 refcount change on invalid ref 1 ret -22 [ 902.791618][T22985] binder: 22982:22985 BC_INCREFS_DONE node 2201 has no pending increfs request 07:50:49 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:49 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 903.406504][T31463] binder: release 22969:22984 transaction 2197 out, still active [ 903.446015][T31463] binder: release 22970:22980 transaction 2191 out, still active 07:50:49 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:49 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)}) [ 903.476202][T22990] binder: 22989:22990 ioctl c018620b 0 returned -14 [ 903.482988][T31463] binder: send failed reply for transaction 2191, target dead [ 903.506766][T22991] binder: 22988:22991 ioctl c018620b 0 returned -14 [ 903.514274][T22985] binder: 22982:22985 ioctl c018620b 0 returned -14 [ 903.529315][T22994] binder: 22994 RLIMIT_NICE not set [ 903.534627][T31463] binder: send failed reply for transaction 2194 to 22974:22981 [ 903.534666][T31463] binder: send failed reply for transaction 2197, target dead [ 903.534683][T31463] binder: send failed reply for transaction 2200 to 22982:22983 [ 903.534883][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 903.545821][T22991] binder: 22991 RLIMIT_NICE not set [ 903.567203][T31463] binder: release 22982:22983 transaction 2207 out, still active 07:50:49 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5452, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 903.573132][T22999] binder: 22997:22999 ioctl c018620b 0 returned -14 [ 903.584625][T22999] binder: 22999 RLIMIT_NICE not set [ 903.592768][T22998] binder: 22998 RLIMIT_NICE not set [ 903.608059][T23002] binder: 23001:23002 ioctl c018620b 0 returned -14 [ 903.639161][T23004] binder: BINDER_SET_CONTEXT_MGR already set [ 903.645455][T23004] binder: 22996:23004 ioctl 40046207 0 returned -16 [ 903.661450][T23005] binder: 23001:23005 BC_INCREFS_DONE node 2214 has no pending increfs request [ 904.269410][T31463] binder: release 22988:23000 transaction 2210 out, still active [ 904.293083][T31463] binder: release 22989:22990 transaction 2204 out, still active [ 904.308457][T31463] binder: undelivered TRANSACTION_COMPLETE [ 904.318896][T31463] binder: send failed reply for transaction 2204, target dead [ 904.330552][T31463] binder: send failed reply for transaction 2207, target dead [ 904.340677][T31463] binder: send failed reply for transaction 2210, target dead [ 904.350799][T31463] binder: send failed reply for transaction 2213 to 23001:23002 [ 904.358601][T31463] binder: send failed reply for transaction 2216 to 22997:23003 [ 904.359194][T23002] binder: 23001:23002 ioctl c018620b 0 returned -14 [ 904.371160][T31463] binder: send failed reply for transaction 2219 to 22996:23004 [ 904.386292][T23005] binder: 23001:23005 BC_INCREFS_DONE u0000000000000000 no match [ 904.400798][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 904.417355][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:50:51 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) r0 = gettid() ioctl$int_in(0xffffffffffffffff, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(0xffffffffffffffff, 0xa, 0x12) fcntl$setownex(0xffffffffffffffff, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(0xffffffffffffffff, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(0xffffffffffffffff, 0xffffffffffffffff) r1 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r1, 0x16) 07:50:51 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:51 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:51 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x2000, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:51 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) 07:50:51 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5460, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 905.660914][T23017] binder: 23013:23017 ioctl c018620b 0 returned -14 [ 905.668591][T23018] binder: 23016:23018 ioctl c018620b 0 returned -14 [ 905.668663][T23020] binder: 23012:23020 ioctl c018620b 0 returned -14 [ 905.681418][T23019] binder: 23011:23019 ioctl c018620b 0 returned -14 [ 905.688634][T23015] binder: 23015 RLIMIT_NICE not set [ 905.689933][T23020] binder: 23020 RLIMIT_NICE not set [ 905.695262][T23018] binder_transaction: 3 callbacks suppressed [ 905.695276][T23018] binder: 23016:23018 transaction failed 29189/-22, size 24-8 line 2994 [ 905.716545][T23018] binder: 23016:23018 BC_INCREFS_DONE u0000000000000000 no match [ 905.726690][T23023] binder: 23016:23023 ioctl c018620b 0 returned -14 [ 905.733741][T23023] binder: 23016:23023 transaction failed 29189/-22, size 24-8 line 2994 [ 905.742169][T23024] binder: BINDER_SET_CONTEXT_MGR already set [ 905.748330][T23018] binder: 23016:23018 BC_INCREFS_DONE u0000000000000000 no match 07:50:51 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046205, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 905.763801][T23024] binder: 23014:23024 ioctl 40046207 0 returned -16 [ 905.789071][T23029] binder: 23028:23029 ioctl c018620b 0 returned -14 [ 905.842598][T23030] binder: 23028:23030 BC_INCREFS_DONE node 2239 has no pending increfs request 07:50:52 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x2000, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:52 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 906.452257][T12061] binder: release 23014:23024 transaction 2235 out, still active [ 906.492062][T12061] binder: release 23012:23025 transaction 2226 out, still active 07:50:52 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) 07:50:52 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 906.523658][T12061] binder: release 23011:23027 transaction 2230 out, still active [ 906.557002][T12061] binder: send failed reply for transaction 2226, target dead [ 906.568551][T23037] binder: 23036:23037 ioctl c018620b 0 returned -14 [ 906.572406][T12061] binder: send failed reply for transaction 2229 to 23013:23026 [ 906.583774][T23030] binder: 23028:23030 ioctl c018620b 0 returned -14 [ 906.597521][T23042] binder: 23040:23042 ioctl c018620b 0 returned -14 [ 906.599371][T12061] binder: send failed reply for transaction 2230, target dead [ 906.606136][T23041] binder: 23039:23041 ioctl c018620b 0 returned -14 07:50:52 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046207, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 906.619198][T12061] binder: send failed reply for transaction 2235, target dead [ 906.627739][T12061] binder: send failed reply for transaction 2238 to 23028:23029 [ 906.643821][T12061] binder: release 23028:23044 transaction 2248 out, still active [ 906.651672][T12061] binder: undelivered TRANSACTION_COMPLETE [ 906.660534][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 906.667643][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 906.674083][T23047] binder: BINDER_SET_CONTEXT_MGR already set [ 906.680139][T23047] binder: 23039:23047 ioctl 40046207 0 returned -16 [ 906.688489][T23047] binder: 23039:23047 Release 1 refcount change on invalid ref 1 ret -22 [ 906.691193][T23049] binder: 23048:23049 ioctl c018620b 0 returned -14 [ 906.706770][T23049] binder: BINDER_SET_CONTEXT_MGR already set [ 906.712920][T23049] binder: 23048:23049 ioctl 40046207 20000140 returned -16 [ 906.767860][T23050] binder: 23048:23050 BC_INCREFS_DONE node 2258 has no pending increfs request [ 907.273479][ C1] net_ratelimit: 20 callbacks suppressed [ 907.273487][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 907.285016][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 907.290803][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 907.296589][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 907.302391][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 907.308163][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 907.343421][T31463] binder: send failed reply for transaction 2242 to 23036:23045 [ 907.351141][T31463] binder: send failed reply for transaction 2245 to 23032:23043 [ 907.387808][T31463] binder: send failed reply for transaction 2248, target dead [ 907.413887][T31463] binder: send failed reply for transaction 2251 to 23040:23046 [ 907.424964][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 907.432646][T23049] binder: 23048:23049 ioctl c018620b 0 returned -14 [ 907.443339][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 907.452794][T23055] binder: 23048:23055 got transaction to context manager from process owning it [ 907.469393][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 907.478202][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 907.484653][T23055] binder: 23048:23055 transaction failed 29201/-22, size 24-8 line 2985 [ 907.494428][T23049] binder: 23048:23049 BC_INCREFS_DONE node 2260 has no pending increfs request [ 907.993467][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 907.999285][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 908.005092][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 908.010846][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:50:54 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r0, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r0, 0xa, 0x12) fcntl$setownex(r0, 0xf, &(0x7f00000ff000)) recvmsg(r1, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r0, r1) r2 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r2, 0x16) 07:50:54 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x2000, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:54 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0) 07:50:54 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:54 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000780)}) 07:50:54 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046208, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 908.711904][T23061] binder: 23056:23061 ioctl c018620b 0 returned -14 [ 908.720499][T23065] binder: 23057:23065 ioctl c018620b 0 returned -14 [ 908.722874][T23067] binder: 23058:23067 ioctl c018620b 0 returned -14 [ 908.730906][T23065] binder_set_nice: 6 callbacks suppressed [ 908.730912][T23065] binder: 23065 RLIMIT_NICE not set [ 908.738293][T23061] binder: 23061 RLIMIT_NICE not set [ 908.743749][T23064] binder: 23064 RLIMIT_NICE not set [ 908.745509][T23060] binder: 23059:23060 ioctl c018620b 0 returned -14 [ 908.751535][T23067] binder: 23067 RLIMIT_NICE not set [ 908.761022][T23060] binder: 23059:23060 transaction failed 29189/-22, size 24-8 line 2994 [ 908.780236][T23068] binder: 23057:23068 transaction failed 29189/-22, size 24-8 line 2994 [ 908.789151][T23070] binder: 23056:23070 transaction failed 29189/-22, size 24-8 line 2994 [ 908.798070][T23072] binder: BINDER_SET_CONTEXT_MGR already set 07:50:54 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40049409, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 908.808270][T23060] binder: 23059:23060 BC_INCREFS_DONE u0000000000000000 no match [ 908.808673][T23070] binder: 23056:23070 BC_INCREFS_DONE u0000000000000000 no match [ 908.826102][T23073] binder: 23059:23073 ioctl c018620b 0 returned -14 [ 908.832765][T23072] binder: 23058:23072 ioctl 40046207 0 returned -16 [ 908.841488][T12061] binder: release 23059:23073 transaction 2269 out, still active [ 908.841705][T23072] binder: 23058:23072 Release 1 refcount change on invalid ref 1 ret -22 [ 908.883801][T23076] binder: 23075:23076 ioctl c018620b 0 returned -14 [ 908.937483][T23077] binder: 23075:23077 BC_INCREFS_DONE node 2276 has no pending increfs request 07:50:55 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 909.523631][T12061] binder: release 23063:23071 transaction 2266 out, still active [ 909.531459][T12061] binder: release 23058:23072 transaction 2272 out, still active 07:50:55 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:55 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0) 07:50:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 909.569457][T12061] binder: send failed reply for transaction 2266, target dead [ 909.588854][T12061] binder: send failed reply for transaction 2269, target dead [ 909.621952][T23083] binder: 23082:23083 ioctl c018620b 0 returned -14 [ 909.639855][T12061] binder: send failed reply for transaction 2272, target dead [ 909.646286][T23087] binder: 23084:23087 ioctl c018620b 0 returned -14 [ 909.658139][T23086] binder: 23086 RLIMIT_NICE not set [ 909.660914][T12061] binder_send_failed_reply: 2 callbacks suppressed [ 909.660923][T12061] binder: send failed reply for transaction 2275 to 23075:23076 [ 909.668547][T23089] binder: 23088:23089 ioctl c018620b 0 returned -14 [ 909.670672][T23076] binder: 23075:23076 ioctl c018620b 0 returned -14 [ 909.678410][T23087] binder: 23087 RLIMIT_NICE not set [ 909.690271][T23090] binder: 23090 RLIMIT_NICE not set [ 909.692074][T23089] binder: 23089 RLIMIT_NICE not set [ 909.697552][T23083] binder: 23082:23083 transaction failed 29189/-22, size 24-8 line 2994 07:50:55 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x4018620d, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 909.717071][T31463] binder: release 23075:23077 transaction 2283 out, still active [ 909.717945][T23083] binder: 23082:23083 BC_INCREFS_DONE u0000000000000000 no match [ 909.739135][T23093] binder: BINDER_SET_CONTEXT_MGR already set [ 909.748392][T23093] binder: 23088:23093 ioctl 40046207 0 returned -16 [ 909.757708][T23093] binder: 23088:23093 Release 1 refcount change on invalid ref 1 ret -22 [ 909.786805][T23096] binder: 23094:23096 ioctl c018620b 0 returned -14 [ 909.802547][T23096] binder: BINDER_SET_CONTEXT_MGR already set [ 909.809256][T23096] binder: 23094:23096 ioctl 4018620d 20000140 returned -16 [ 909.863572][T23097] binder: 23094:23097 BC_INCREFS_DONE node 2293 has no pending increfs request [ 910.443756][T31463] binder: release 23085:23091 transaction 2280 out, still active [ 910.472500][T31463] binder: send failed reply for transaction 2280, target dead [ 910.496290][T31463] binder: send failed reply for transaction 2283, target dead [ 910.522060][T31463] binder: send failed reply for transaction 2286 to 23084:23092 [ 910.531058][T31463] binder: send failed reply for transaction 2289 to 23088:23093 [ 910.541366][T31463] binder: send failed reply for transaction 2292 to 23094:23096 [ 910.550129][T23096] binder: 23094:23096 ioctl c018620b 0 returned -14 [ 910.550922][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 910.557251][T23097] binder: 23094:23097 got transaction to context manager from process owning it [ 910.563051][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 910.572879][T23097] binder: 23094:23097 transaction failed 29201/-22, size 24-8 line 2985 [ 910.587708][T23096] binder: 23094:23096 BC_INCREFS_DONE u0000000000000000 node 2295 cookie mismatch 0000000000000000 != 00000000200000c0 07:50:57 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r0, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r0, 0xa, 0x12) fcntl$setownex(r0, 0xf, &(0x7f00000ff000)) recvmsg(r1, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r0, r1) r2 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r2, 0x16) 07:50:57 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 07:50:57 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0) 07:50:57 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:57 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:50:57 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x4020940d, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 911.749600][T23107] binder: 23103:23107 ioctl c018620b 0 returned -14 [ 911.751251][T23109] binder: 23104:23109 ioctl c018620b 0 returned -14 [ 911.758195][T23106] binder: 23106 RLIMIT_NICE not set [ 911.768959][T23108] binder: 23101:23108 ioctl c018620b 0 returned -14 [ 911.769505][T23110] binder: 23102:23110 ioctl c018620b 0 returned -14 [ 911.781763][T23107] binder: 23103:23107 transaction failed 29189/-22, size 24-8 line 2994 [ 911.791241][T23108] binder: 23108 RLIMIT_NICE not set 07:50:57 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x402c5828, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 911.796937][T23107] binder: 23103:23107 BC_INCREFS_DONE u0000000000000000 no match [ 911.809988][T23114] binder: 23103:23114 ioctl c018620b 0 returned -14 [ 911.817973][T12061] binder: release 23103:23114 transaction 2302 out, still active [ 911.840894][T23118] binder: BINDER_SET_CONTEXT_MGR already set [ 911.847060][T23118] binder: 23102:23118 ioctl 40046207 0 returned -16 [ 911.857626][T23120] binder: 23119:23120 ioctl c018620b 0 returned -14 [ 911.865773][T23118] binder: 23102:23118 Release 1 refcount change on invalid ref 1 ret -22 [ 911.919553][T23121] binder: 23119:23121 BC_INCREFS_DONE node 2315 has no pending increfs request 07:50:58 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000009c0)}) [ 912.541266][T31463] binder: release 23105:23113 transaction 2299 out, still active 07:50:58 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) 07:50:58 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:50:58 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 912.586362][T31463] binder: release 23102:23118 transaction 2311 out, still active [ 912.619566][T31463] binder: send failed reply for transaction 2299, target dead [ 912.646075][T23124] binder: 23123:23124 ioctl c018620b 0 returned -14 [ 912.654929][T31463] binder: send failed reply for transaction 2302, target dead [ 912.664050][T23121] binder: 23119:23121 ioctl c018620b 0 returned -14 [ 912.674361][T23129] binder: 23128:23129 ioctl c018620b 0 returned -14 [ 912.681087][T23132] binder: 23119:23132 transaction failed 29189/-22, size 24-8 line 2994 [ 912.690260][T31463] binder: send failed reply for transaction 2305 to 23101:23116 [ 912.692042][T23133] binder: 23131:23133 ioctl c018620b 0 returned -14 [ 912.698421][T31463] binder: send failed reply for transaction 2308 to 23104:23115 [ 912.714667][T31463] binder: send failed reply for transaction 2311, target dead [ 912.733483][T31463] binder: send failed reply for transaction 2314 to 23119:23120 [ 912.741365][T31463] binder: undelivered TRANSACTION_COMPLETE 07:50:58 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x402c582a, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 912.741379][T23136] binder: 23123:23136 transaction failed 29189/-22, size 24-8 line 2994 [ 912.741493][T23136] binder: 23123:23136 BC_INCREFS_DONE u0000000000000000 no match [ 912.747804][T23137] binder: 23128:23137 transaction failed 29189/-22, size 24-8 line 2994 [ 912.772013][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 912.778287][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 912.785011][T23139] binder: BINDER_SET_CONTEXT_MGR already set [ 912.791053][T23139] binder: 23134:23139 ioctl 40046207 0 returned -16 [ 912.797858][T31463] binder: release 23131:23138 transaction 2321 out, still active [ 912.806113][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 912.806194][T23141] binder: 23128:23141 BC_INCREFS_DONE u0000000000000000 no match [ 912.820283][T23142] binder: 23140:23142 ioctl c018620b 0 returned -14 [ 912.833292][T12061] binder: send failed reply for transaction 2321, target dead [ 912.841349][T12061] binder: send failed reply for transaction 2324 to 23134:23139 [ 912.876485][T23144] binder: 23140:23144 BC_INCREFS_DONE u0000000000000000 no match [ 912.884351][T12061] binder: send failed reply for transaction 2327 to 23140:23142 [ 912.892120][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 912.911593][T23144] binder: 23140:23144 ioctl c018620b 0 returned -14 [ 912.926428][T23144] binder: 23140:23144 transaction failed 29189/-22, size 24-8 line 2994 [ 912.935466][T23142] binder: 23140:23142 BC_INCREFS_DONE u0000000000000000 no match [ 913.513460][ C1] net_ratelimit: 20 callbacks suppressed [ 913.513468][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 913.524942][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 913.530715][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 913.536481][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 913.542259][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 913.548043][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 914.233509][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 914.239375][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 914.245201][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 914.250931][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:51:00 executing program 1: clock_nanosleep(0x0, 0xfffffffffdffffff, 0x0, 0x0) socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r0, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r0, 0xa, 0x12) fcntl$setownex(r0, 0xf, &(0x7f00000ff000)) recvmsg(r1, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r0, r1) r2 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r2, 0x16) 07:51:00 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:51:00 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0046209, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:00 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000009c0)}) 07:51:00 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x0) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) [ 914.806857][T23149] binder: 23148:23149 ioctl c018620b 0 returned -14 [ 914.819608][T23153] binder: 23150:23153 ioctl c018620b 0 returned -14 [ 914.825734][T23157] binder: 23155:23157 ioctl c018620b 0 returned -14 [ 914.835410][T23154] binder: 23152:23154 ioctl c018620b 0 returned -14 [ 914.840064][T23153] binder_set_nice: 6 callbacks suppressed [ 914.840070][T23153] binder: 23153 RLIMIT_NICE not set [ 914.842914][T23157] binder: 23157 RLIMIT_NICE not set [ 914.849586][T23149] binder: 23149 RLIMIT_NICE not set [ 914.856188][T23154] binder: 23152:23154 transaction failed 29189/-22, size 24-8 line 2994 [ 914.874339][T23154] binder: 23152:23154 BC_INCREFS_DONE u0000000000000000 no match [ 914.882540][T23156] binder: 23156 RLIMIT_NICE not set [ 914.884710][T23160] binder: 23152:23160 ioctl c018620b 0 returned -14 [ 914.895195][T23162] binder: BINDER_SET_CONTEXT_MGR already set 07:51:00 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc018620b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 914.901382][T23162] binder: 23155:23162 ioctl 40046207 0 returned -16 [ 914.902495][T31463] binder: release 23152:23160 transaction 2333 out, still active [ 914.928507][T23165] binder: BINDER_SET_CONTEXT_MGR already set [ 914.935825][T23165] binder: 23151:23165 ioctl 40046207 0 returned -16 [ 914.950608][T23167] binder: 23166:23167 ioctl c018620b 0 returned -14 [ 915.004580][T23168] binder: 23166:23168 BC_INCREFS_DONE node 2349 has no pending increfs request 07:51:01 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000009c0)}) [ 915.602730][T12061] binder: release 23148:23163 transaction 2336 out, still active [ 915.618984][T31463] binder: release 23150:23161 transaction 2337 out, still active 07:51:01 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:51:01 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x0) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 915.648703][T31463] binder: release 23155:23162 transaction 2342 out, still active [ 915.690498][T31463] binder: release 23151:23165 transaction 2345 out, still active [ 915.708327][T23173] binder: 23172:23173 ioctl c018620b 0 returned -14 [ 915.728019][T12061] binder: send failed reply for transaction 2333, target dead [ 915.735618][T23175] binder: 23175 RLIMIT_NICE not set 07:51:01 executing program 2: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5452, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 915.741790][T23173] binder: 23173 RLIMIT_NICE not set [ 915.750167][T23168] binder: 23166:23168 ioctl c018620b 0 returned -14 [ 915.751707][T12061] binder: send failed reply for transaction 2336, target dead [ 915.764430][T23177] binder: 23176:23177 ioctl c018620b 0 returned -14 [ 915.765376][T12061] binder: send failed reply for transaction 2337, target dead [ 915.777847][T23177] binder: 23177 RLIMIT_NICE not set [ 915.782204][T12061] binder: send failed reply for transaction 2342, target dead [ 915.795542][T12061] binder: send failed reply for transaction 2345, target dead [ 915.807223][T12061] binder: send failed reply for transaction 2348 to 23166:23167 [ 915.816004][T12061] binder: release 23166:23180 transaction 2355 out, still active [ 915.823867][T23184] binder: BINDER_SET_CONTEXT_MGR already set [ 915.829898][T23184] binder: 23176:23184 ioctl 40046207 0 returned -16 07:51:01 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc018620c, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 915.829918][T12061] binder: undelivered TRANSACTION_COMPLETE [ 915.844059][T23181] binder: 23179:23181 ioctl c018620b 0 returned -14 [ 915.848268][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 915.854051][T23186] binder: 23185:23186 ioctl c018620b 0 returned -14 [ 915.869117][T23186] binder: 23185 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 915.869129][T23186] binder: 23185:23186 ioctl c018620c 20000140 returned -22 [ 915.912427][T23187] binder: 23179:23187 BC_INCREFS_DONE node 2362 has no pending increfs request [ 915.931412][T23188] binder: 23185:23188 BC_INCREFS_DONE node 2368 has no pending increfs request [ 916.491190][T12061] binder: release 23172:23183 transaction 2358 out, still active [ 916.523695][T12061] binder: release 23174:23182 transaction 2352 out, still active [ 916.539680][T12061] binder: release 23176:23184 transaction 2364 out, still active [ 916.551121][T12061] binder: send failed reply for transaction 2352, target dead [ 916.558890][T12061] binder: send failed reply for transaction 2355, target dead [ 916.566601][T12061] binder: send failed reply for transaction 2358, target dead [ 916.574263][T12061] binder: send failed reply for transaction 2361 to 23179:23181 [ 916.595389][T12061] binder: send failed reply for transaction 2364, target dead [ 916.611285][T12061] binder: send failed reply for transaction 2367 to 23185:23186 [ 916.619824][T23186] binder: 23185:23186 ioctl c018620b 0 returned -14 [ 916.633567][T23188] binder: 23185:23188 transaction failed 29189/-22, size 24-8 line 2994 [ 916.642069][T23186] binder: 23185 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 916.642083][T23186] binder: 23185:23186 ioctl c018620c 20000140 returned -22 [ 916.650531][T23188] binder: 23185:23188 BC_INCREFS_DONE u0000000000000000 no match 07:51:03 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:03 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, &(0x7f00000009c0)}) 07:51:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f00000009c0)}) 07:51:03 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x0) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:03 executing program 2 (fault-call:11 fault-nth:0): syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:03 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0189436, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 917.871910][T23196] binder: 23194:23196 ioctl c018620b 0 returned -14 [ 917.879620][T23198] binder: 23197:23198 ioctl c018620b 0 returned -14 [ 917.885850][T23196] binder: 23196 RLIMIT_NICE not set [ 917.887168][T23203] binder: 23202:23203 ioctl c018620b 0 returned -14 [ 917.895155][T23201] binder: 23201 RLIMIT_NICE not set [ 917.898776][T23198] binder: 23198 RLIMIT_NICE not set [ 917.908492][T23199] binder: 23195:23199 ioctl c018620b 0 returned -14 [ 917.916131][T23199] binder: 23195:23199 transaction failed 29189/-22, size 24-8 line 2994 [ 917.924935][T23199] binder: 23195:23199 BC_INCREFS_DONE u0000000000000000 no match [ 917.933231][T23206] binder: 23194:23206 transaction failed 29189/-22, size 24-8 line 2994 [ 917.954540][T23210] binder: 23195:23210 ioctl c018620b 0 returned -14 [ 917.960482][T23211] binder: BINDER_SET_CONTEXT_MGR already set 07:51:03 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x0, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:03 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc020660b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 917.961384][T23206] binder: 23194:23206 BC_INCREFS_DONE u0000000000000000 no match [ 917.967307][T23211] binder: 23202:23211 ioctl 40046207 0 returned -16 [ 917.993859][T12061] binder: release 23195:23210 transaction 2380 out, still active [ 918.021286][T23215] binder: 23214:23215 ioctl c018620b 0 returned -14 [ 918.074887][T23216] binder: 23214:23216 BC_INCREFS_DONE node 2387 has no pending increfs request 07:51:04 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, &(0x7f00000009c0)}) [ 918.664050][T23198] FAULT_INJECTION: forcing a failure. [ 918.664050][T23198] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 918.687879][T12061] binder: send failed reply for transaction 2374, target dead [ 918.702294][T12061] binder: send failed reply for transaction 2386 to 23214:23215 [ 918.710271][T23198] CPU: 0 PID: 23198 Comm: syz-executor.2 Not tainted 5.1.0-rc2 #36 [ 918.710810][T23215] binder: 23214:23215 ioctl c018620b 0 returned -14 [ 918.718164][T23198] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 918.718272][T23198] Call Trace: [ 918.718298][T23198] dump_stack+0x172/0x1f0 [ 918.718320][T23198] should_fail.cold+0xa/0x15 [ 918.718338][T23198] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 918.718355][T23198] ? ___might_sleep+0x163/0x280 [ 918.718377][T23198] should_fail_alloc_page+0x50/0x60 07:51:04 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x1000000, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:04 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 918.718389][T23198] __alloc_pages_nodemask+0x1a1/0x7e0 [ 918.718409][T23198] ? __alloc_pages_slowpath+0x28b0/0x28b0 [ 918.743555][T23219] binder: 23214:23219 transaction failed 29189/-22, size 24-8 line 2994 [ 918.747186][T23198] ? __fget+0x35a/0x550 [ 918.747218][T23198] ? __fget+0x35a/0x550 [ 918.747234][T23198] ? pmd_val+0x85/0x100 [ 918.747250][T23198] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 918.747268][T23198] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 918.796260][T23222] binder: 23221:23222 ioctl c018620b 0 returned -14 07:51:04 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 918.801060][T23198] alloc_pages_vma+0xdd/0x540 [ 918.801084][T23198] __handle_mm_fault+0x1dd4/0x3ec0 [ 918.801105][T23198] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 918.801121][T23198] ? find_held_lock+0x35/0x130 [ 918.801140][T23198] ? handle_mm_fault+0x322/0xb30 [ 918.813942][T23198] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 918.813962][T23198] ? kasan_check_read+0x11/0x20 [ 918.813980][T23198] handle_mm_fault+0x43f/0xb30 [ 918.814002][T23198] __do_page_fault+0x5ef/0xda0 [ 918.814030][T23198] do_page_fault+0x71/0x581 [ 918.823783][T23198] ? page_fault+0x8/0x30 [ 918.823798][T23198] page_fault+0x1e/0x30 [ 918.823811][T23198] RIP: 0023:0x80975cc [ 918.823826][T23198] Code: 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00 55 57 56 53 81 ec cc 20 00 00 8b 58 68 85 db 0f 85 2b 01 00 00 c7 40 68 ff ff ff ff <89> 84 24 b0 00 00 00 89 c3 8d 84 24 c0 00 00 00 c7 84 24 80 00 00 [ 918.823833][T23198] RSP: 002b:00000000f5dd6b00 EFLAGS: 00010246 [ 918.823845][T23198] RAX: 0000000008127dc0 RBX: 00000000ffffffff RCX: 00000000f5dd9104 [ 918.823853][T23198] RDX: 00000000080ddf9c RSI: 00000000ffffffff RDI: 00000000f5dd9b40 [ 918.823861][T23198] RBP: 00000000f5dd90a8 R08: 0000000000000000 R09: 0000000000000000 [ 918.823870][T23198] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 918.823878][T23198] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 918.837709][T23224] binder: 23218:23224 ioctl c018620b 0 returned -14 [ 918.880112][T23228] binder: 23226:23228 ioctl c018620b 0 returned -14 07:51:04 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 918.920036][ T1043] oom_reaper: reaped process 23198 (syz-executor.2), now anon-rss:0kB, file-rss:34832kB, shmem-rss:0kB [ 918.969251][T23232] binder: BINDER_SET_CONTEXT_MGR already set [ 918.969263][T23230] binder: 23218:23230 BC_INCREFS_DONE node 2398 has no pending increfs request [ 918.985418][T23232] binder: 23226:23232 ioctl 40046207 0 returned -16 [ 918.994680][T23232] binder: 23226:23232 ioctl c0306201 0 returned -14 [ 919.015291][T23235] binder: 23234:23235 ioctl c018620b 0 returned -14 07:51:05 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0xfdfdffff, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 919.595675][T23229] binder: 23221:23229 ioctl c018620b 0 returned -14 07:51:05 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:05 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, &(0x7f00000009c0)}) [ 919.643427][T12061] binder: unexpected work type, 4, not freed [ 919.649466][T12061] binder: undelivered TRANSACTION_COMPLETE [ 919.649630][T12061] binder: send failed reply for transaction 2400 to 23226:23232 [ 919.666834][T23239] binder: 23238:23239 ioctl c018620b 0 returned -14 07:51:05 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x2, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 919.699468][T12061] binder: send failed reply for transaction 2403 to 23234:23236 [ 919.727777][T23239] binder: 23238:23239 transaction failed 29189/-22, size 24-8 line 2994 [ 919.746673][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 919.753466][ C1] net_ratelimit: 20 callbacks suppressed [ 919.753473][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 919.756162][T23248] binder: 23246:23248 ioctl c018620b 0 returned -14 [ 919.759162][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 919.759250][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 919.768103][T23248] binder: 23246:23248 ioctl 2 20000140 returned -22 [ 919.771638][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:51:05 executing program 3 (fault-call:4 fault-nth:0): r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 919.771719][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 919.801168][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 919.804873][T23239] binder: 23238:23239 BC_INCREFS_DONE u0000000000000000 no match [ 919.814859][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 919.826695][T23252] binder: 23247:23252 ioctl c018620b 0 returned -14 [ 919.832575][T23254] binder: 23246:23254 BC_INCREFS_DONE node 2415 has no pending increfs request [ 919.842671][T23251] binder: 23250:23251 ioctl c018620b 0 returned -14 [ 919.854837][T23242] binder: 23238:23242 ioctl c018620b 0 returned -14 [ 919.862439][T23251] binder_set_nice: 7 callbacks suppressed [ 919.862443][T23251] binder: 23251 RLIMIT_NICE not set [ 919.908681][T23257] binder: BINDER_SET_CONTEXT_MGR already set [ 919.914881][T23257] binder: 23250:23257 ioctl 40046207 0 returned -16 [ 919.922491][T23257] binder: 23250:23257 ioctl c0306201 0 returned -14 [ 920.473474][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 920.479314][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 920.485155][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 920.490917][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 920.520962][T12061] binder_thread_release: 8 callbacks suppressed [ 920.520972][T12061] binder: release 23243:23249 transaction 2411 out, still active [ 920.540252][T12061] binder: send failed reply for transaction 2414 to 23246:23248 [ 920.548028][T12061] binder: send failed reply for transaction 2420 to 23247:23256 [ 920.548052][T12061] binder: send failed reply for transaction 2423 to 23250:23257 [ 920.556766][T23248] binder: 23246:23248 ioctl c018620b 0 returned -14 [ 920.573928][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 920.585288][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 920.588823][T23254] binder: 23246:23254 transaction failed 29189/-22, size 24-8 line 2994 [ 920.601334][T23248] binder: 23246:23248 ioctl 2 20000140 returned -22 07:51:06 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x0, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:06 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0xfffffdfd, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:06 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:06 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, 0x0}) 07:51:06 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x541b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 921.022128][T23271] binder: 23270:23271 ioctl c018620b 0 returned -14 [ 921.029541][T23265] binder: 23264:23265 ioctl c018620b 0 returned -14 [ 921.029856][T23267] binder: 23266:23267 ioctl c018620b 0 returned -14 [ 921.047074][T23269] binder: 23269 RLIMIT_NICE not set [ 921.052434][T23271] binder: 23270:23271 ioctl 541b 20000140 returned -22 [ 921.053801][T23265] binder: 23265 RLIMIT_NICE not set [ 921.059784][T23267] binder: 23267 RLIMIT_NICE not set [ 921.070556][T23263] binder: 23262:23263 ioctl c018620b 0 returned -14 [ 921.071446][T23271] binder: 23270:23271 transaction failed 29189/-22, size 24-8 line 2994 [ 921.087033][T23271] binder: 23270:23271 BC_INCREFS_DONE u0000000000000000 no match [ 921.093533][T23274] binder: 23266:23274 transaction failed 29189/-22, size 24-8 line 2994 [ 921.096977][T23276] binder: 23270:23276 ioctl c018620b 0 returned -14 [ 921.110019][T23274] binder: 23266:23274 BC_INCREFS_DONE u0000000000000000 no match 07:51:06 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x5421, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 921.110519][T23277] binder: BINDER_SET_CONTEXT_MGR already set [ 921.122679][T23271] binder: 23270:23271 ioctl 541b 20000140 returned -22 [ 921.123956][T23277] binder: 23264:23277 ioctl 40046207 0 returned -16 [ 921.142279][T23277] binder: 23264:23277 ioctl c0306201 0 returned -14 [ 921.143940][T31463] binder: release 23270:23278 transaction 2433 out, still active [ 921.186862][T23282] binder: 23281:23282 ioctl c018620b 0 returned -14 [ 921.194552][T23282] binder: 23281:23282 ioctl c0306201 20000440 returned -11 [ 921.202303][T23282] binder: 23281:23282 BC_INCREFS_DONE node 2443 has no pending increfs request [ 921.217211][T23283] binder: 23281:23283 ioctl c018620b 0 returned -14 [ 921.224345][T23283] binder: 23281:23283 ioctl c0306201 20000440 returned -11 07:51:06 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x5450, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 921.231847][T23282] binder: 23281:23282 BC_INCREFS_DONE node 2446 has no pending increfs request [ 921.231941][T31463] binder: release 23281:23282 transaction 2442 out, still active [ 921.254784][T31463] binder: unexpected work type, 4, not freed [ 921.272519][T31463] binder: undelivered TRANSACTION_COMPLETE [ 921.277887][T23287] binder: 23286:23287 ioctl c018620b 0 returned -14 [ 921.285290][T31463] binder: release 23281:23283 transaction 2445 out, still active [ 921.293044][T31463] binder: unexpected work type, 4, not freed [ 921.304056][T31463] binder: undelivered TRANSACTION_COMPLETE [ 921.332472][T23288] binder: 23286:23288 BC_INCREFS_DONE node 2449 has no pending increfs request 07:51:07 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, 0x0}) 07:51:07 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 921.804146][T23279] binder: 23262:23279 ioctl c018620b 0 returned -14 [ 921.812523][T12061] binder: release 23262:23289 transaction 2451 out, still active [ 921.834072][T12061] binder: release 23268:23275 transaction 2430 out, still active 07:51:07 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x100000000000000, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x2, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 921.889628][T12061] binder_send_failed_reply: 9 callbacks suppressed [ 921.889636][T12061] binder: send failed reply for transaction 2430, target dead [ 921.890701][T23293] binder: 23292:23293 ioctl c018620b 0 returned -14 [ 921.920963][T12061] binder: send failed reply for transaction 2433, target dead [ 921.947061][T12061] binder: send failed reply for transaction 2436 to 23262:23279 [ 921.952610][T23295] binder: 23294:23295 ioctl c018620b 0 returned -14 [ 921.956637][T23298] binder: 23298 RLIMIT_NICE not set [ 921.967285][T12061] binder: send failed reply for transaction 2439 to 23264:23277 [ 921.976888][T23300] binder: 23300 RLIMIT_NICE not set [ 921.980260][T12061] binder: send failed reply for transaction 2442, target dead [ 921.988159][T23293] binder: 23292:23293 transaction failed 29189/-22, size 24-8 line 2994 [ 921.990694][T12061] binder: send failed reply for transaction 2445, target dead [ 922.002451][T23293] binder: 23292:23293 BC_INCREFS_DONE u0000000000000000 no match [ 922.006838][T12061] binder: send failed reply for transaction 2448 to 23286:23287 [ 922.022396][T23287] binder: 23286:23287 ioctl c018620b 0 returned -14 [ 922.029504][T23301] binder: 23299:23301 ioctl c018620b 0 returned -14 [ 922.029844][T12061] binder: send failed reply for transaction 2451, target dead [ 922.049920][T23301] binder: 23299:23301 ioctl 2 20000140 returned -22 [ 922.059016][T12061] binder: release 23286:23288 transaction 2462 out, still active [ 922.062759][T23301] binder: BINDER_SET_CONTEXT_MGR already set [ 922.084324][T23301] binder: 23299:23301 ioctl 40046207 0 returned -16 [ 922.090790][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 922.106206][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 922.147626][T23306] binder: 23299:23306 BC_INCREFS_DONE node 2466 has no pending increfs request [ 922.157206][T23306] binder: 23299:23306 ioctl c0306201 0 returned -14 [ 922.732098][T23307] binder: 23294:23307 ioctl c018620b 0 returned -14 [ 922.740331][T31463] binder: release 23294:23307 transaction 2468 out, still active [ 922.753321][T31463] binder: release 23297:23302 transaction 2456 out, still active [ 922.767812][T31463] binder: release 23294:23303 transaction 2459 out, still active [ 922.779078][T23306] binder_alloc: binder_alloc_mmap_handler: 23299 20001000-20004000 already mapped failed -16 [ 922.799296][T31463] binder: send failed reply for transaction 2456, target dead [ 922.804424][T23306] binder: 23299:23306 ioctl c018620b 0 returned -14 [ 922.813808][T31463] binder: send failed reply for transaction 2459, target dead [ 922.818959][T23309] binder: 23299:23309 ioctl 2 20000140 returned -22 [ 922.821326][T31463] binder: send failed reply for transaction 2462, target dead [ 922.828211][T23309] binder_alloc: 23299: binder_alloc_buf, no vma [ 922.840925][T31463] binder: send failed reply for transaction 2465 to 23299:23301 [ 922.844049][T23309] binder: 23299:23309 transaction failed 29189/-3, size 24-8 line 3147 [ 922.852033][T31463] binder: send failed reply for transaction 2468, target dead [ 922.858817][T23306] binder: 23299:23306 ioctl c0306201 0 returned -14 [ 922.872192][T23301] binder: 23299:23301 BC_INCREFS_DONE u0000000000000000 no match 07:51:09 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x0, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:09 executing program 5: openat(0xffffffffffffffff, 0x0, 0x0, 0x2) memfd_create(0x0, 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, 0x0, 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, 0x0}) 07:51:09 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x5452, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:09 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0xfdfdffff00000000, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:09 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:09 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x541b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 924.068736][T23315] binder: 23314:23315 ioctl c018620b 0 returned -14 [ 924.073733][T23313] binder: 23311:23313 ioctl c018620b 0 returned -14 [ 924.081750][T23319] binder: 23318:23319 ioctl c018620b 0 returned -14 [ 924.089399][T23313] binder: 23313 RLIMIT_NICE not set [ 924.094601][T23317] binder: 23317 RLIMIT_NICE not set [ 924.096309][T23319] binder: 23318:23319 ioctl 541b 20000140 returned -22 [ 924.108512][T23320] binder: 23312:23320 ioctl c018620b 0 returned -14 [ 924.140478][T23324] binder: BINDER_SET_CONTEXT_MGR already set [ 924.147151][T23324] binder: 23316:23324 ioctl 40046207 0 returned -16 [ 924.154684][T23326] binder: 23318:23326 BC_INCREFS_DONE node 2475 has no pending increfs request [ 924.164334][T23327] binder: 23312:23327 BC_INCREFS_DONE node 2478 has no pending increfs request [ 924.174107][T23326] binder: 23318:23326 ioctl c0306201 0 returned -14 07:51:10 executing program 5: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000040)={0xb, 0x7f, 0x7, 0x5, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000140)={r0, &(0x7f0000000040), 0x0}, 0x20) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000000)={r0, &(0x7f0000000180), 0x0}, 0x18) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f00000001c0)={r0, &(0x7f0000000000), 0x0}, 0x20) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000340)={r0, &(0x7f0000000300)="1f67f5f2687a0614637e4003c015", 0x0}, 0x18) [ 924.860567][T23325] binder: 23314:23325 ioctl c018620b 0 returned -14 [ 924.871011][T23326] binder_alloc: binder_alloc_mmap_handler: 23318 20001000-20004000 already mapped failed -16 [ 924.882136][T23327] binder: 23312:23327 ioctl c018620b 0 returned -14 [ 924.898444][T23330] binder_alloc: 23318: binder_alloc_buf, no vma 07:51:10 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(0x0, 0x0, 0x1) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:10 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630b}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 924.910894][T23326] binder: 23318:23326 ioctl c018620b 0 returned -14 [ 924.930800][T23330] binder: 23312:23330 transaction failed 29189/-3, size 24-8 line 3147 [ 924.943285][T23331] binder: 23318:23331 ioctl 541b 20000140 returned -22 07:51:10 executing program 5: perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket(0x1e, 0x4, 0x0) r1 = socket(0x1e, 0x4, 0x0) setsockopt$packet_tx_ring(r1, 0x10f, 0x87, &(0x7f00000000c0)=@req={0x3fc}, 0x10) setsockopt$packet_tx_ring(r0, 0x10f, 0x87, &(0x7f0000265000)=@req={0x3fc}, 0x10) sendmmsg(r0, &(0x7f0000000a40), 0x8000000000000b0, 0x0) [ 924.962239][T23336] binder: 23336 RLIMIT_NICE not set [ 924.967921][T23327] binder: 23312:23327 BC_INCREFS_DONE u0000000000000000 no match [ 924.975870][T23338] binder: BINDER_SET_CONTEXT_MGR already set [ 924.981917][T23338] binder: 23318:23338 ioctl 40046207 0 returned -16 07:51:10 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x5460, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 925.008745][T23342] binder: 23340:23342 ioctl c018620b 0 returned -14 [ 925.008781][T23343] binder: BINDER_SET_CONTEXT_MGR already set [ 925.015609][T23326] binder: 23318:23326 BC_INCREFS_DONE u0000000000000000 no match [ 925.040146][T23342] binder: 23340:23342 ERROR: BC_REGISTER_LOOPER called without request [ 925.041145][T23343] binder: 23335:23343 ioctl 40046207 0 returned -16 [ 925.052747][T23331] binder: 23318:23331 ioctl c0306201 0 returned -14 [ 925.070582][T23342] binder: 23342 RLIMIT_NICE not set 07:51:10 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 925.092556][T23351] binder_alloc: 23318: binder_alloc_buf, no vma [ 925.101550][T31463] binder: send failed reply for transaction 2474 to 23318:23319 [ 925.130206][T31463] binder: send failed reply for transaction 2477, target dead [ 925.138476][T23351] binder: 23340:23351 transaction failed 29189/-3, size 24-8 line 3147 [ 925.138752][T23353] binder: 23340:23353 BC_INCREFS_DONE u0000000000000000 no match [ 925.154946][T23350] binder: 23349:23350 ioctl c018620b 0 returned -14 [ 925.157284][T23347] binder_alloc: 23318: binder_alloc_buf, no vma [ 925.169196][T23350] binder: 23349:23350 transaction failed 29189/-22, size 24-8 line 2994 [ 925.178859][T23343] binder: 23335:23343 BC_INCREFS_DONE u0000000000000000 no match [ 925.180907][T23350] binder: 23349:23350 BC_INCREFS_DONE u0000000000000000 no match [ 925.189013][T23347] binder: 23335:23347 transaction failed 29189/-3, size 24-8 line 3147 [ 925.213819][T23358] binder: 23349:23358 ioctl c018620b 0 returned -14 [ 925.221027][T23358] binder: 23349:23358 transaction failed 29189/-22, size 24-8 line 2994 [ 925.229875][T23350] binder: 23349:23350 BC_INCREFS_DONE u0000000000000000 no match [ 925.802962][T23351] binder: 23340:23351 ioctl c018620b 0 returned -14 [ 925.809939][T23351] binder: 23340:23351 ERROR: BC_REGISTER_LOOPER called without request [ 925.818534][T23353] binder: 23340:23353 transaction failed 29189/-22, size 24-8 line 2994 [ 925.822547][T23351] binder: 23351 RLIMIT_NICE not set [ 926.003470][ C1] net_ratelimit: 20 callbacks suppressed [ 926.003479][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 926.014944][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 926.020711][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 926.026483][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 926.032263][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 926.038050][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 926.713522][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 926.719322][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 926.725147][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 926.730880][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:51:12 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x40046205, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:12 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, 0x0) ioctl$int_in(0xffffffffffffffff, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(0xffffffffffffffff, 0xa, 0x12) fcntl$setownex(0xffffffffffffffff, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(0xffffffffffffffff, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(0xffffffffffffffff, 0xffffffffffffffff) r1 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r1, 0x16) 07:51:12 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5421, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:12 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:12 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630d}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 927.106412][T23367] binder: 23365:23367 ioctl c018620b 0 returned -14 [ 927.131479][T23370] binder: 23368:23370 ioctl c018620b 0 returned -14 [ 927.133595][T23373] binder: 23366:23373 ioctl c018620b 0 returned -14 [ 927.138587][T23372] binder: 23372 RLIMIT_NICE not set [ 927.148747][T23373] binder: 23366:23373 transaction failed 29189/-22, size 24-8 line 2994 [ 927.155894][T23370] binder: 23368:23370 ioctl c0306201 20000440 returned -11 [ 927.159279][T23373] binder_thread_write: 1 callbacks suppressed [ 927.159289][T23373] binder: 23366:23373 BC_INCREFS_DONE u0000000000000000 no match [ 927.171529][T23370] binder: 23368:23370 BC_INCREFS_DONE node 2501 has no pending increfs request [ 927.174891][T23378] binder: 23366:23378 ioctl c018620b 0 returned -14 [ 927.180243][T23370] binder: 23368:23370 ioctl c0306201 0 returned -14 [ 927.191359][T23380] binder: BINDER_SET_CONTEXT_MGR already set [ 927.203133][T23381] binder_alloc: binder_alloc_mmap_handler: 23368 20001000-20004000 already mapped failed -16 [ 927.208465][T23380] binder: 23369:23380 ioctl 40046207 0 returned -16 [ 927.220369][T23370] binder: 23368:23370 ioctl c018620b 0 returned -14 [ 927.228353][T23380] binder_alloc: 23368: binder_alloc_buf, no vma [ 927.233822][T23370] binder: BINDER_SET_CONTEXT_MGR already set [ 927.250540][T23370] binder: 23368:23370 ioctl 40046207 0 returned -16 07:51:12 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x40046207, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 927.250812][T12061] binder_thread_release: 5 callbacks suppressed [ 927.250822][T12061] binder: release 23366:23378 transaction 2506 out, still active [ 927.257338][T23380] binder: 23369:23380 transaction failed 29189/-3, size 24-8 line 3147 [ 927.269733][T12061] binder: unexpected work type, 4, not freed [ 927.273599][T23381] binder_alloc: 23368: binder_alloc_buf, no vma [ 927.284068][T23383] binder: 23369:23383 BC_INCREFS_DONE u0000000000000000 no match [ 927.290898][T23370] binder: 23368:23370 BC_INCREFS_DONE u0000000000000000 no match [ 927.299858][T23384] binder: 23368:23384 ioctl c0306201 0 returned -14 [ 927.314700][T23381] binder: 23368:23381 transaction failed 29189/-3, size 24-8 line 3147 [ 927.330689][T12061] binder: undelivered TRANSACTION_COMPLETE [ 927.334352][T23386] binder: 23385:23386 ioctl c018620b 0 returned -14 [ 927.339376][T12061] binder: send failed reply for transaction 2500 to 23368:23370 07:51:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5450, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 927.351798][T12061] binder: send failed reply for transaction 2503 to 23365:23379 [ 927.359565][T23386] binder: 23385:23386 got transaction to context manager from process owning it [ 927.359585][T23386] binder: 23385:23386 transaction failed 29201/-22, size 24-8 line 2985 [ 927.359738][T23386] binder: 23385:23386 BC_INCREFS_DONE node 2511 has no pending increfs request [ 927.379539][T12061] binder_send_failed_reply: 4 callbacks suppressed [ 927.379546][T12061] binder: send failed reply for transaction 2506, target dead [ 927.414069][T12061] binder: undelivered TRANSACTION_COMPLETE [ 927.415721][T23388] binder: 23385:23388 ioctl c018620b 0 returned -14 [ 927.420439][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 927.427982][T23391] binder: 23390:23391 ioctl c018620b 0 returned -14 [ 927.445779][T23386] binder: BINDER_SET_CONTEXT_MGR already set [ 927.452744][T23386] binder: 23385:23386 ioctl 40046207 20000140 returned -16 [ 927.452748][T23391] binder: BINDER_SET_CONTEXT_MGR already set [ 927.452770][T23391] binder: 23390:23391 ioctl 40046207 0 returned -16 [ 927.460157][T23392] binder_alloc: 23385: binder_alloc_buf, no vma [ 927.479209][T23391] binder_alloc: 23385: binder_alloc_buf, no vma [ 927.485763][T23386] binder: 23385:23386 BC_INCREFS_DONE u0000000000000000 no match [ 927.494511][T23391] binder: 23390:23391 BC_INCREFS_DONE u0000000000000000 no match [ 927.507671][T23391] binder: 23390:23391 ioctl c0306201 0 returned -14 07:51:13 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x40046208, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 927.520445][T23393] binder_alloc: binder_alloc_mmap_handler: 23390 20001000-20004000 already mapped failed -16 [ 927.532469][T23391] binder: 23390:23391 ioctl c018620b 0 returned -14 [ 927.542083][T23396] binder: 23395:23396 ioctl c018620b 0 returned -14 [ 927.548067][T23397] binder_alloc: 23390: binder_alloc_buf, no vma [ 927.556111][T23391] binder: 23390:23391 BC_INCREFS_DONE u0000000000000000 no match [ 927.559291][T23396] binder_alloc: 23390: binder_alloc_buf, no vma 07:51:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5452, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 927.564010][T23393] binder: 23390:23393 ioctl c0306201 0 returned -14 [ 927.581062][T23396] binder: 23395:23396 BC_INCREFS_DONE u0000000000000000 no match [ 927.595293][T23399] binder: 23395:23399 ioctl c018620b 0 returned -14 [ 927.602290][T23396] binder: 23395:23396 BC_INCREFS_DONE u0000000000000000 no match 07:51:13 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x40049409, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:13 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 927.622312][T23401] binder: 23400:23401 ioctl c018620b 0 returned -14 [ 927.684254][T23406] binder: 23400:23406 BC_INCREFS_DONE node 2521 has no pending increfs request [ 927.689719][T23404] binder: 23403:23404 ioctl c018620b 0 returned -14 [ 927.698141][T23406] binder: 23400:23406 ioctl c0306201 0 returned -14 [ 927.758478][T23410] binder: 23403:23410 BC_INCREFS_DONE node 2524 has no pending increfs request 07:51:13 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 927.906703][T23379] binder: 23365:23379 ioctl c018620b 0 returned -14 [ 927.918675][T12061] binder: release 23365:23412 transaction 2526 out, still active [ 927.933051][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 927.969006][T23415] binder: 23415 RLIMIT_NICE not set [ 928.014485][T23416] binder: BINDER_SET_CONTEXT_MGR already set [ 928.020682][T23416] binder: 23414:23416 ioctl 40046207 0 returned -16 [ 928.414054][T23418] binder_alloc: binder_alloc_mmap_handler: 23400 20001000-20004000 already mapped failed -16 [ 928.424647][T23406] binder: 23400:23406 ioctl c018620b 0 returned -14 [ 928.428919][T23418] binder: BINDER_SET_CONTEXT_MGR already set [ 928.437360][T23418] binder: 23400:23418 ioctl 40046207 0 returned -16 [ 928.437415][T23419] binder_alloc: 23400: binder_alloc_buf, no vma [ 928.450489][T23406] binder: 23400:23406 BC_INCREFS_DONE u0000000000000000 no match [ 928.450538][T23418] binder: 23400:23418 ioctl c0306201 0 returned -14 [ 928.466068][T31463] binder: send failed reply for transaction 2520 to 23400:23401 [ 928.474377][T23410] binder: 23403:23410 ioctl c018620b 0 returned -14 [ 928.475983][T31463] binder: send failed reply for transaction 2523 to 23403:23404 [ 928.489749][T31463] binder: send failed reply for transaction 2526, target dead [ 928.497372][T31463] binder: send failed reply for transaction 2529 to 23414:23416 [ 928.513960][T31463] binder: undelivered TRANSACTION_COMPLETE [ 928.528204][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 928.550776][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:51:15 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, 0x0) ioctl$int_in(0xffffffffffffffff, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(0xffffffffffffffff, 0xa, 0x12) fcntl$setownex(0xffffffffffffffff, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(0xffffffffffffffff, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(0xffffffffffffffff, 0xffffffffffffffff) r1 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r1, 0x16) 07:51:15 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x6312}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:15 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:15 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x5460, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:15 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x4018620d, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 930.151679][T23426] binder: 23424:23426 ioctl c018620b 0 returned -14 [ 930.166786][T23432] binder: 23430:23432 ioctl c018620b 0 returned -14 [ 930.176830][T23426] binder: 23424:23426 got transaction to context manager from process owning it [ 930.181603][T23431] binder: 23431 RLIMIT_NICE not set [ 930.186834][T23432] binder: BINDER_SET_CONTEXT_MGR already set [ 930.191646][T23426] binder_transaction: 7 callbacks suppressed [ 930.191660][T23426] binder: 23424:23426 transaction failed 29201/-22, size 24-8 line 2985 [ 930.197906][T23434] binder: 23425:23434 ioctl c018620b 0 returned -14 [ 930.208439][T23432] binder: 23430:23432 ioctl 40046207 0 returned -16 [ 930.216113][T23426] binder: 23424:23426 BC_INCREFS_DONE u0000000000000000 node 2534 cookie mismatch 0000000000000000 != 00000000200000c0 [ 930.226182][T23432] binder_alloc: 23424: binder_alloc_buf, no vma [ 930.239176][T23434] binder: 23425:23434 unknown command 25362 [ 930.244311][T23437] binder: BINDER_SET_CONTEXT_MGR already set [ 930.250026][T23434] binder: 23425:23434 ioctl c0306201 20000140 returned -22 [ 930.260918][T23432] binder: 23430:23432 transaction failed 29189/-3, size 24-8 line 3147 [ 930.267658][T23437] binder: 23428:23437 ioctl 40046207 0 returned -16 [ 930.272424][T23439] binder: 23424:23439 ioctl c018620b 0 returned -14 [ 930.278654][T23434] binder_alloc: 23424: binder_alloc_buf, no vma [ 930.291667][T23440] binder_alloc: 23424: binder_alloc_buf, no vma [ 930.291680][T23434] binder: 23425:23434 transaction failed 29189/-3, size 24-8 line 3147 [ 930.292514][T23434] binder: 23425:23434 BC_INCREFS_DONE u0000000000000000 no match [ 930.298592][T23442] binder: 23430:23442 ioctl c0306201 0 returned -14 [ 930.309899][T23443] binder: 23425:23443 ioctl c018620b 0 returned -14 [ 930.320578][T23426] binder: BINDER_SET_CONTEXT_MGR already set [ 930.321399][T23434] binder: 23425:23434 unknown command 25362 [ 930.327564][T23440] binder: 23428:23440 transaction failed 29189/-3, size 24-8 line 3147 [ 930.329877][T23426] binder: 23424:23426 ioctl 4018620d 20000140 returned -16 [ 930.334596][T23445] binder_alloc: 23424: binder_alloc_buf, no vma [ 930.349832][T23432] binder_alloc: binder_alloc_mmap_handler: 23430 20001000-20004000 already mapped failed -16 [ 930.355825][T23434] binder: 23425:23434 ioctl c0306201 20000140 returned -22 [ 930.367271][T23432] binder: 23430:23432 ioctl c018620b 0 returned -14 [ 930.372529][T23444] binder_alloc: 23424: binder_alloc_buf, no vma [ 930.380063][T23445] binder: 23425:23445 transaction failed 29189/-3, size 24-8 line 3147 07:51:16 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x4020940d, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 930.388019][T23444] binder: 23424:23444 transaction failed 29189/-3, size 24-8 line 3147 [ 930.398065][T23446] binder_alloc: 23430: binder_alloc_buf, no vma 07:51:16 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046302}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 930.450252][T23442] binder: 23430:23442 ioctl c0306201 0 returned -14 [ 930.450937][T23449] binder: 23448:23449 ioctl c018620b 0 returned -14 [ 930.469045][T23446] binder: 23430:23446 transaction failed 29189/-3, size 24-8 line 3147 [ 930.481948][T23449] binder: 23448:23449 transaction failed 29189/-22, size 24-8 line 2994 [ 930.482187][T23451] binder: 23450:23451 ioctl c018620b 0 returned -14 07:51:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046205, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 930.493251][T23452] binder: 23448:23452 ioctl c018620b 0 returned -14 [ 930.508449][T23451] binder: BC_ACQUIRE_RESULT not supported [ 930.509944][T23452] binder: 23448:23452 transaction failed 29189/-22, size 24-8 line 2994 [ 930.521156][T23451] binder: 23450:23451 ioctl c0306201 20000140 returned -22 [ 930.541097][T23451] binder: 23450:23451 transaction failed 29189/-22, size 24-8 line 2994 07:51:16 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x402c5828, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 930.557485][T23455] binder: 23454:23455 ioctl c018620b 0 returned -14 [ 930.572115][T23456] binder: 23450:23456 ioctl c018620b 0 returned -14 07:51:16 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046304}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 930.606661][T23459] binder: 23458:23459 ioctl c018620b 0 returned -14 [ 930.613827][T23451] binder: BC_ACQUIRE_RESULT not supported [ 930.619592][T23451] binder: 23450:23451 ioctl c0306201 20000140 returned -22 [ 930.630486][T31463] binder: release 23450:23460 transaction 2553 out, still active 07:51:16 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) [ 930.654915][T23462] binder: 23454:23462 BC_INCREFS_DONE node 2548 has no pending increfs request [ 930.669770][T23462] binder: 23454:23462 ioctl c0306201 0 returned -14 [ 930.677235][T23465] binder: 23458:23465 BC_INCREFS_DONE node 2551 has no pending increfs request [ 930.682700][T23464] binder: 23463:23464 ioctl c018620b 0 returned -14 [ 931.355823][T23462] binder_alloc: binder_alloc_mmap_handler: 23454 20001000-20004000 already mapped failed -16 [ 931.366454][T23462] binder: 23454:23462 ioctl c018620b 0 returned -14 [ 931.373242][T23462] binder: BINDER_SET_CONTEXT_MGR already set [ 931.379779][T23462] binder: 23454:23462 ioctl 40046207 0 returned -16 [ 931.379808][T23473] binder_alloc: 23454: binder_alloc_buf, no vma [ 931.396743][T23473] binder: 23454:23473 ioctl c0306201 0 returned -14 [ 931.403808][T12061] binder: release 23454:23455 transaction 2547 out, still active [ 931.405037][T23465] binder: 23458:23465 ioctl c018620b 0 returned -14 [ 931.413578][T12061] binder: send failed reply for transaction 2547, target dead [ 931.435159][T12061] binder: send failed reply for transaction 2550 to 23458:23459 [ 931.447238][T12061] binder: send failed reply for transaction 2553, target dead [ 931.455483][T12061] binder: send failed reply for transaction 2557 to 23463:23469 [ 931.465191][T12061] binder: undelivered TRANSACTION_COMPLETE [ 931.471184][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 931.478799][T23477] binder: 23463:23477 ioctl c018620b 0 returned -14 [ 931.490142][T23469] binder: 23463:23469 IncRefs 0 refcount change on invalid ref 0 ret -22 [ 931.505991][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 932.233492][ C1] net_ratelimit: 20 callbacks suppressed [ 932.233501][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 932.244941][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 932.250717][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 932.256479][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 932.262228][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 932.267985][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 932.953482][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 932.959299][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 932.965147][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 932.971216][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:51:18 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) 07:51:18 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, 0x0) ioctl$int_in(0xffffffffffffffff, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(0xffffffffffffffff, 0xa, 0x12) fcntl$setownex(0xffffffffffffffff, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(0xffffffffffffffff, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(0xffffffffffffffff, 0xffffffffffffffff) r1 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r1, 0x16) 07:51:18 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:18 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046207, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:18 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0x402c582a, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:18 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046307}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 933.194697][T23482] binder: 23482 RLIMIT_NICE not set [ 933.205367][T23484] binder: 23483:23484 ioctl c018620b 0 returned -14 [ 933.212764][T23487] binder: 23485:23487 ioctl c018620b 0 returned -14 [ 933.216277][T23484] binder_thread_write: 7 callbacks suppressed [ 933.216301][T23484] binder: 23483:23484 BC_INCREFS_DONE u0000000000000000 no match [ 933.223610][T23487] binder: 23485:23487 DecRefs 0 refcount change on invalid ref 0 ret -22 07:51:19 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0046209, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 933.233211][T23491] binder: 23483:23491 ioctl c018620b 0 returned -14 [ 933.236082][T23488] binder: 23486:23488 ioctl c018620b 0 returned -14 [ 933.242497][T23484] binder: 23483:23484 BC_INCREFS_DONE u0000000000000000 no match [ 933.250673][T23488] binder: BINDER_SET_CONTEXT_MGR already set [ 933.269514][T23488] binder: 23486:23488 ioctl 40046207 20000140 returned -16 [ 933.278437][T23488] binder: BINDER_SET_CONTEXT_MGR already set [ 933.284874][T23488] binder: 23486:23488 ioctl 40046207 0 returned -16 [ 933.310901][T23497] binder: 23496:23497 ioctl c018620b 0 returned -14 [ 933.339741][T23498] binder: 23486:23498 BC_INCREFS_DONE node 2573 has no pending increfs request [ 933.349462][T23498] binder: 23486:23498 ioctl c0306201 0 returned -14 [ 933.364543][T23499] binder: 23496:23499 BC_INCREFS_DONE node 2576 has no pending increfs request 07:51:19 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) 07:51:19 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 934.002417][T12061] binder: send failed reply for transaction 2566 to 23481:23492 [ 934.003179][T23498] binder_alloc: binder_alloc_mmap_handler: 23486 20001000-20004000 already mapped failed -16 [ 934.012439][T12061] binder: send failed reply for transaction 2569 to 23485:23494 [ 934.035298][T23494] binder: 23485:23494 ioctl c018620b 0 returned -14 [ 934.040280][T12061] binder: send failed reply for transaction 2572 to 23486:23488 [ 934.052857][T23494] binder: 23485:23494 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 934.055953][T23506] binder: 23506 RLIMIT_NICE not set [ 934.067042][T12061] binder: send failed reply for transaction 2575 to 23496:23497 [ 934.069330][T23488] binder: 23486:23488 ioctl c018620b 0 returned -14 [ 934.078821][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 934.087282][T23498] binder: BINDER_SET_CONTEXT_MGR already set [ 934.088750][T23497] binder: 23496:23497 ioctl c018620b 0 returned -14 07:51:19 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40086303}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 934.100701][T23508] binder_alloc: 23486: binder_alloc_buf, no vma [ 934.102449][T23510] binder: BINDER_SET_CONTEXT_MGR already set [ 934.113129][T23498] binder: 23486:23498 ioctl 40046207 0 returned -16 [ 934.120177][T23510] binder: 23505:23510 ioctl 40046207 0 returned -16 [ 934.120323][T23509] binder: 23486:23509 got transaction to context manager from process owning it [ 934.127476][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 934.143062][T23511] binder_alloc: 23486: binder_alloc_buf, no vma 07:51:19 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc018620b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 934.160248][T23510] binder_alloc: 23486: binder_alloc_buf, no vma [ 934.169635][T23488] binder: 23486:23488 BC_INCREFS_DONE node 2578 has no pending increfs request [ 934.169776][T23498] binder: 23486:23498 ioctl c0306201 0 returned -14 [ 934.179498][T23513] binder: 23512:23513 ioctl c018620b 0 returned -14 [ 934.191100][T23510] binder: 23505:23510 BC_INCREFS_DONE u0000000000000000 no match [ 934.199890][T23513] binder: 23512:23513 BC_FREE_BUFFER u0000000000000000 no match 07:51:19 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046208, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 934.227765][T23516] binder: 23515:23516 ioctl c018620b 0 returned -14 [ 934.245809][T23517] binder: 23512:23517 BC_INCREFS_DONE u0000000000000000 no match [ 934.248408][T23516] binder: 23515:23516 BC_INCREFS_DONE u0000000000000000 no match 07:51:20 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 934.274377][T23520] binder: 23518:23520 ioctl c018620b 0 returned -14 [ 934.274836][T23521] binder: 23515:23521 ioctl c018620b 0 returned -14 [ 934.287075][T23520] binder: 23518:23520 ioctl c0306201 0 returned -14 [ 934.301483][T23522] binder_alloc: binder_alloc_mmap_handler: 23518 20001000-20004000 already mapped failed -16 [ 934.312680][T23520] binder: 23518:23520 ioctl c018620b 0 returned -14 [ 934.327979][T23521] binder_alloc: 23518: binder_alloc_buf, no vma [ 934.329952][T23522] binder: BINDER_SET_CONTEXT_MGR already set [ 934.349186][T23522] binder: 23518:23522 ioctl 40046207 0 returned -16 [ 934.350470][T23516] binder: 23515:23516 BC_INCREFS_DONE u0000000000000000 no match [ 934.359040][T23525] binder_alloc: 23518: binder_alloc_buf, no vma [ 934.370931][T23520] binder: 23518:23520 BC_INCREFS_DONE u0000000000000000 no match [ 934.379567][T23525] binder: 23518:23525 ioctl c0306201 0 returned -14 [ 934.386920][T31463] binder: release 23518:23520 transaction 2586 out, still active [ 934.401410][T31463] binder: send failed reply for transaction 2586, target dead [ 934.969589][T23532] binder: 23512:23532 ioctl c018620b 0 returned -14 [ 934.976491][T23517] binder: 23512:23517 BC_FREE_BUFFER u0000000000000000 no match [ 934.980573][T23532] binder: 23512:23532 BC_INCREFS_DONE u0000000000000000 no match 07:51:21 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(0xffffffffffffffff, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:21 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc018620c, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:21 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40049409, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:21 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x0, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:21 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:21 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x4008630a}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 936.241878][T23539] binder: 23536:23539 ioctl c018620b 0 returned -14 [ 936.246301][T23535] binder: 23534:23535 ioctl c018620b 0 returned -14 [ 936.254818][T23541] binder: 23540:23541 ioctl c018620b 0 returned -14 [ 936.267263][T23543] binder: 23543 RLIMIT_NICE not set [ 936.270026][T23541] binder: 23540 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 936.270038][T23541] binder: 23540:23541 ioctl c018620c 20000140 returned -22 [ 936.274178][T23535] binder: BC_ATTEMPT_ACQUIRE not supported [ 936.294694][T23535] binder: 23534:23535 ioctl c0306201 20000140 returned -22 [ 936.313591][T23546] binder: BINDER_SET_CONTEXT_MGR already set [ 936.319648][T23546] binder: 23538:23546 ioctl 40046207 0 returned -16 [ 936.326382][T23548] binder: 23536:23548 BC_INCREFS_DONE node 2594 has no pending increfs request [ 936.333587][T23549] binder: 23540:23549 BC_INCREFS_DONE node 2597 has no pending increfs request [ 936.337299][T23548] binder: 23536:23548 ioctl c0306201 0 returned -14 [ 936.351680][T23550] binder: 23534:23550 BC_INCREFS_DONE node 2600 has no pending increfs request 07:51:22 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 937.029833][T23554] binder: 23534:23554 ioctl c018620b 0 returned -14 [ 937.037459][T23548] binder_alloc: binder_alloc_mmap_handler: 23536 20001000-20004000 already mapped failed -16 [ 937.042504][T23549] binder: 23540:23549 ioctl c018620b 0 returned -14 [ 937.053778][T31463] binder: release 23538:23546 transaction 2602 out, still active [ 937.062166][T23550] binder: BC_ATTEMPT_ACQUIRE not supported [ 937.065594][T23549] binder: 23540 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. 07:51:22 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x0, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 937.065607][T23549] binder: 23540:23549 ioctl c018620c 20000140 returned -22 [ 937.075570][T23555] binder_alloc: 23536: binder_alloc_buf, no vma [ 937.091164][T23548] binder: 23536:23548 ioctl c018620b 0 returned -14 [ 937.092913][T23550] binder: 23534:23550 ioctl c0306201 20000140 returned -22 [ 937.104016][T23554] binder: 23534:23554 BC_INCREFS_DONE u0000000000000000 no match [ 937.114496][T23555] binder_transaction: 14 callbacks suppressed [ 937.114509][T23555] binder: 23534:23555 transaction failed 29189/-3, size 24-8 line 3147 [ 937.125806][T23558] binder: BINDER_SET_CONTEXT_MGR already set [ 937.129065][T23557] binder_alloc: 23536: binder_alloc_buf, no vma [ 937.142409][T23557] binder: 23540:23557 transaction failed 29189/-3, size 24-8 line 3147 [ 937.157766][T23563] binder: 23563 RLIMIT_NICE not set [ 937.162477][T12061] binder: release 23540:23541 transaction 2596 out, still active [ 937.163685][T23561] binder_alloc: 23536: binder_alloc_buf, no vma 07:51:22 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40086310}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 937.172000][T23558] binder: 23536:23558 ioctl 40046207 0 returned -16 [ 937.195927][T12061] binder: unexpected work type, 4, not freed [ 937.199977][T23561] binder: 23536:23561 transaction failed 29189/-3, size 24-8 line 3147 [ 937.209893][T12061] binder: undelivered TRANSACTION_COMPLETE [ 937.210717][T23565] binder: BINDER_SET_CONTEXT_MGR already set 07:51:22 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0189436, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 937.225190][T23567] binder: 23566:23567 ioctl c018620b 0 returned -14 [ 937.232356][T23567] binder: 23566:23567 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 937.241568][T23565] binder: 23562:23565 ioctl 40046207 0 returned -16 [ 937.245278][T12061] binder: send failed reply for transaction 2593 to 23536:23539 [ 937.250332][T23565] binder: 23562:23565 transaction failed 29189/-22, size 24-8 line 2994 [ 937.265250][T23565] binder: 23562:23565 BC_INCREFS_DONE u0000000000000000 no match [ 937.276741][T23570] binder: 23569:23570 ioctl c018620b 0 returned -14 [ 937.279061][T12061] binder: send failed reply for transaction 2596, target dead [ 937.283930][T23571] binder: 23566:23571 transaction failed 29189/-22, size 24-8 line 2994 [ 937.301581][T23570] binder: 23569:23570 transaction failed 29189/-22, size 24-8 line 2994 [ 937.302960][T12061] binder: send failed reply for transaction 2599 to 23534:23535 [ 937.318145][T23572] binder: 23569:23572 ioctl c018620b 0 returned -14 07:51:23 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x4018620d, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 937.323480][T12061] binder: send failed reply for transaction 2602, target dead [ 937.328841][T23572] binder: 23569:23572 transaction failed 29189/-22, size 24-8 line 2994 [ 937.332611][T12061] binder: undelivered TRANSACTION_COMPLETE 07:51:23 executing program 5: read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(0xffffffffffffffff, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 937.371605][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 937.390756][T23576] binder: 23574:23576 ioctl c018620b 0 returned -14 [ 937.396421][T12061] binder: undelivered TRANSACTION_COMPLETE [ 937.420282][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 937.424694][T23576] binder: BINDER_SET_CONTEXT_MGR already set [ 937.441777][T23576] binder: 23574:23576 ioctl 40046207 0 returned -16 [ 937.458806][T23576] binder: 23574:23576 got transaction to context manager from process owning it [ 937.473109][T23576] binder: 23574:23576 transaction failed 29201/-22, size 24-8 line 2985 [ 937.482278][T23576] binder: 23574:23576 BC_INCREFS_DONE u0000000000000000 node 2612 cookie mismatch 0000000000000000 != 00000000200000c0 [ 937.495224][T23576] binder: 23574:23576 ioctl c0306201 0 returned -14 [ 937.503288][T23581] binder_alloc: binder_alloc_mmap_handler: 23574 20001000-20004000 already mapped failed -16 [ 937.514166][T23576] binder: 23574:23576 ioctl c018620b 0 returned -14 [ 937.514905][T23581] binder: BINDER_SET_CONTEXT_MGR already set [ 937.527632][T23581] binder: 23574:23581 ioctl 4018620d 20000140 returned -16 [ 937.535178][T23581] binder_alloc: 23574: binder_alloc_buf, no vma [ 937.536546][T23576] binder: BINDER_SET_CONTEXT_MGR already set [ 937.541636][T23581] binder: 23574:23581 transaction failed 29189/-3, size 24-8 line 3147 [ 937.547857][T23576] binder: 23574:23576 ioctl 40046207 0 returned -16 [ 937.557713][T23582] binder: 23574:23582 ioctl c0306201 0 returned -14 [ 938.024701][T23585] binder: 23566:23585 ioctl c018620b 0 returned -14 [ 938.031451][T23571] binder: 23566:23571 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 938.042779][T23586] binder: 23566:23586 transaction failed 29189/-22, size 24-8 line 2994 [ 938.473462][ C1] net_ratelimit: 20 callbacks suppressed [ 938.473475][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 938.484905][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 938.490681][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 938.496451][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 938.502219][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 938.507987][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 939.193522][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 939.199314][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 939.205162][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 939.210896][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:51:24 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(0xffffffffffffffff, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:24 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc020660b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:24 executing program 5: read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(0xffffffffffffffff, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x4020940d, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:24 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x0, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:24 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x400c630e}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:25 executing program 5: read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(0xffffffffffffffff, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 939.272086][T23592] binder: 23589:23592 ioctl c018620b 0 returned -14 [ 939.282401][T23591] binder: 23591 RLIMIT_NICE not set [ 939.294583][T23595] binder: 23593:23595 ioctl c018620b 0 returned -14 [ 939.301658][T23588] binder: 23587:23588 ioctl c018620b 0 returned -14 [ 939.303655][T23595] binder: 23593:23595 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 07:51:25 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 939.328500][T23601] binder: BINDER_SET_CONTEXT_MGR already set [ 939.348872][T23601] binder: 23590:23601 ioctl 40046207 0 returned -16 [ 939.359081][T23604] binder: 23589:23604 BC_INCREFS_DONE node 2618 has no pending increfs request 07:51:25 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:25 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 939.371323][T23608] binder: 23587:23608 BC_INCREFS_DONE node 2621 has no pending increfs request [ 939.378311][T23604] binder: 23589:23604 ioctl c0306201 0 returned -14 07:51:25 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:25 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 940.064208][T23608] binder: 23587:23608 ioctl c018620b 0 returned -14 [ 940.065954][T23604] binder_alloc: binder_alloc_mmap_handler: 23589 20001000-20004000 already mapped failed -16 [ 940.071194][T23624] binder_alloc: 23589: binder_alloc_buf, no vma [ 940.082920][T23604] binder: 23589:23604 ioctl c018620b 0 returned -14 [ 940.088771][T23603] binder: 23593:23603 ioctl c018620b 0 returned -14 [ 940.100002][T23625] binder: BINDER_SET_CONTEXT_MGR already set [ 940.107127][T23625] binder: 23589:23625 ioctl 40046207 0 returned -16 [ 940.108193][T31463] binder: release 23590:23609 transaction 2626 out, still active [ 940.129372][T31463] binder: release 23587:23588 transaction 2620 out, still active [ 940.137532][T23626] binder_alloc: 23589: binder_alloc_buf, no vma [ 940.137740][T23603] binder: 23593:23603 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 940.144419][T31463] binder: unexpected work type, 4, not freed [ 940.157943][T31463] binder: undelivered TRANSACTION_COMPLETE [ 940.163926][T23628] binder_alloc: 23589: binder_alloc_buf, no vma [ 940.164469][T23604] binder_thread_write: 4 callbacks suppressed [ 940.164481][T23604] binder: 23589:23604 BC_INCREFS_DONE u0000000000000000 no match [ 940.171183][T23627] binder: 23593:23627 BC_INCREFS_DONE u0000000000000000 no match [ 940.198806][T23625] binder: 23589:23625 ioctl c0306201 0 returned -14 [ 940.206799][T31463] binder: send failed reply for transaction 2617 to 23589:23592 [ 940.215193][T31463] binder: send failed reply for transaction 2620, target dead [ 940.222787][T31463] binder: send failed reply for transaction 2623 to 23593:23603 [ 940.235977][T31463] binder: send failed reply for transaction 2626, target dead [ 940.257026][T31463] binder: undelivered TRANSACTION_COMPLETE [ 940.266478][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 940.272885][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:51:28 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(0xffffffffffffffff, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:28 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:28 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc030624b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:28 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x400c630f}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x402c5828, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:28 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 942.321636][T23635] binder: 23634:23635 ioctl c018620b 0 returned -14 [ 942.329177][T23638] binder: 23633:23638 ioctl c018620b 0 returned -14 [ 942.340408][T23639] binder: 23636:23639 ioctl c018620b 0 returned -14 [ 942.342424][T23635] binder: 23634:23635 ioctl c030624b 20000140 returned -22 [ 942.349972][T23639] binder: 23636:23639 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 942.367135][T23642] binder: 23642 RLIMIT_NICE not set [ 942.396447][T23646] binder: 23633:23646 BC_INCREFS_DONE node 2634 has no pending increfs request [ 942.406025][T23647] binder: 23634:23647 BC_INCREFS_DONE node 2637 has no pending increfs request [ 942.414487][T23646] binder: 23633:23646 ioctl c0306201 0 returned -14 [ 942.416878][T23649] binder: BINDER_SET_CONTEXT_MGR already set [ 942.431809][T23649] binder: 23641:23649 ioctl 40046207 0 returned -16 07:51:28 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, 0x0, 0x0) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 943.115108][T23646] binder_alloc: binder_alloc_mmap_handler: 23633 20001000-20004000 already mapped failed -16 [ 943.121313][T23647] binder: 23634:23647 ioctl c018620b 0 returned -14 [ 943.126438][T23646] binder: 23633:23646 ioctl c018620b 0 returned -14 [ 943.132511][T23647] binder: 23634:23647 ioctl c030624b 20000140 returned -22 [ 943.143572][T31463] binder: release 23641:23649 transaction 2642 out, still active [ 943.151926][T23655] binder_alloc: 23633: binder_alloc_buf, no vma [ 943.160652][T23645] binder: 23636:23645 ioctl c018620b 0 returned -14 [ 943.166310][T23653] binder: BINDER_SET_CONTEXT_MGR already set [ 943.172599][T23655] binder_transaction: 3 callbacks suppressed [ 943.172614][T23655] binder: 23634:23655 transaction failed 29189/-3, size 24-8 line 3147 [ 943.174925][T23657] binder_alloc: 23633: binder_alloc_buf, no vma [ 943.180314][T23645] binder: 23636:23645 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 943.199448][T23654] binder: 23634:23654 BC_INCREFS_DONE u0000000000000000 no match 07:51:28 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:28 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x3f00, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 943.203685][T31463] binder: release 23634:23635 transaction 2636 out, still active [ 943.231812][T31463] binder: release 23636:23645 transaction 2639 out, still active [ 943.241731][T23662] binder: 23633:23662 BC_INCREFS_DONE u0000000000000000 no match [ 943.252332][T23663] binder: 23633:23663 ioctl c0306201 0 returned -14 [ 943.259477][T23661] binder: 23661 RLIMIT_NICE not set [ 943.277921][T23658] binder_alloc: 23633: binder_alloc_buf, no vma [ 943.284623][T23657] binder: 23633:23657 transaction failed 29189/-3, size 24-8 line 3147 [ 943.292011][T23653] binder: 23633:23653 ioctl 40046207 0 returned -16 [ 943.293119][T23666] binder: 23665:23666 ioctl c018620b 0 returned -14 [ 943.305621][T23667] binder: BINDER_SET_CONTEXT_MGR already set [ 943.311597][T23658] binder: 23636:23658 transaction failed 29189/-3, size 24-8 line 3147 [ 943.312351][T23667] binder: 23660:23667 ioctl 40046207 0 returned -16 07:51:29 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40106308}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 943.325882][T23668] binder_alloc: 23633: binder_alloc_buf, no vma [ 943.341919][T31463] binder: send failed reply for transaction 2633 to 23633:23638 [ 943.350525][T31463] binder: send failed reply for transaction 2636, target dead [ 943.358794][T23668] binder: 23665:23668 transaction failed 29189/-3, size 24-8 line 3147 [ 943.358884][T23667] binder_alloc: 23633: binder_alloc_buf, no vma 07:51:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x402c582a, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 943.367530][T31463] binder: send failed reply for transaction 2639, target dead [ 943.382630][T23666] binder: 23665:23666 BC_INCREFS_DONE u0000000000000000 no match [ 943.392849][T31463] binder: send failed reply for transaction 2642, target dead [ 943.399051][T23671] binder: 23660:23671 BC_INCREFS_DONE u0000000000000000 no match [ 943.419291][T23670] binder: 23669:23670 ioctl c018620b 0 returned -14 [ 943.431903][T23668] binder: 23665:23668 ioctl c018620b 0 returned -14 [ 943.442474][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 943.451383][T23675] binder: 23674:23675 ioctl c018620b 0 returned -14 [ 943.455720][T23668] binder: 23665:23668 transaction failed 29189/-22, size 24-8 line 2994 [ 943.458275][T23670] binder: 23669:23670 BC_INCREFS_DONE u0000000000000000 no match [ 943.467790][T23666] binder: 23665:23666 BC_INCREFS_DONE u0000000000000000 no match 07:51:29 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, 0x0, 0x0) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 943.483334][T23667] binder: 23660:23667 transaction failed 29189/-3, size 24-8 line 3147 [ 943.550121][T23678] binder: 23674:23678 BC_INCREFS_DONE node 2653 has no pending increfs request [ 943.559623][T23678] binder: 23674:23678 ioctl c0306201 0 returned -14 [ 944.194320][T23680] binder: 23669:23680 ioctl c018620b 0 returned -14 [ 944.201066][T23680] binder: 23669:23680 BC_INCREFS_DONE u0000000000000000 no match [ 944.210386][T31463] binder: release 23669:23684 transaction 2658 out, still active [ 944.218835][T31463] binder: release 23669:23680 transaction 2655 out, still active [ 944.251217][T23686] binder_alloc: binder_alloc_mmap_handler: 23674 20001000-20004000 already mapped failed -16 [ 944.261700][T23678] binder: 23674:23678 ioctl c018620b 0 returned -14 [ 944.262675][T23686] binder: BINDER_SET_CONTEXT_MGR already set [ 944.277713][T23686] binder: 23674:23686 ioctl 40046207 0 returned -16 [ 944.277748][T23687] binder_alloc: 23674: binder_alloc_buf, no vma [ 944.290905][T23687] binder: 23674:23687 transaction failed 29189/-3, size 24-8 line 3147 [ 944.299388][T23678] binder: 23674:23678 BC_INCREFS_DONE u0000000000000000 no match [ 944.299422][T23686] binder: 23674:23686 ioctl c0306201 0 returned -14 [ 944.314412][T12061] binder: release 23674:23675 transaction 2652 out, still active [ 944.322312][T12061] binder: send failed reply for transaction 2652, target dead [ 944.330079][T12061] binder: send failed reply for transaction 2655, target dead [ 944.337688][T12061] binder: send failed reply for transaction 2658, target dead [ 944.713478][ C1] net_ratelimit: 20 callbacks suppressed [ 944.713486][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 944.724927][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 944.730899][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 944.736673][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 944.742436][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 944.748210][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:51:31 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x0, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:31 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x4000, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:31 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, 0x0, 0x0) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:31 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:31 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40106309}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0046209, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 945.373898][T23695] binder: 23694:23695 ioctl c018620b 0 returned -14 [ 945.385080][T23696] binder: 23692:23696 ioctl c018620b 0 returned -14 [ 945.385965][T23693] binder: 23689:23693 ioctl c018620b 0 returned -14 [ 945.393882][T23698] binder: 23698 RLIMIT_NICE not set [ 945.409066][T23696] binder: 23692:23696 BC_ACQUIRE_DONE u0000000000000000 no match [ 945.439439][T23701] binder: BINDER_SET_CONTEXT_MGR already set [ 945.443458][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 945.450473][T23701] binder: 23697:23701 ioctl 40046207 0 returned -16 [ 945.451254][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 945.461790][T23703] binder: 23694:23703 BC_INCREFS_DONE node 2664 has no pending increfs request [ 945.463660][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 945.463702][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 945.485173][T23703] binder: 23694:23703 ioctl c0306201 0 returned -14 07:51:31 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 946.171099][T23710] binder: 23689:23710 ioctl c018620b 0 returned -14 [ 946.172284][T23703] binder_alloc: binder_alloc_mmap_handler: 23694 20001000-20004000 already mapped failed -16 [ 946.179831][T31463] binder: release 23697:23701 transaction 2669 out, still active [ 946.194552][T23702] binder: 23692:23702 ioctl c018620b 0 returned -14 [ 946.196159][T23705] binder_alloc: 23694: binder_alloc_buf, no vma [ 946.202641][T23702] binder: 23692:23702 BC_ACQUIRE_DONE u0000000000000000 no match 07:51:31 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 946.209294][T23705] binder: 23689:23705 transaction failed 29189/-3, size 24-8 line 3147 [ 946.225519][T31463] binder: release 23689:23705 transaction 2672 out, still active [ 946.232074][T23703] binder: 23694:23703 ioctl c018620b 0 returned -14 [ 946.250503][T23711] binder_alloc: 23694: binder_alloc_buf, no vma [ 946.253857][T23712] binder: BINDER_SET_CONTEXT_MGR already set [ 946.262936][T23712] binder: 23694:23712 ioctl 40046207 0 returned -16 07:51:31 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x1000000, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 946.268886][T23711] binder: 23692:23711 transaction failed 29189/-3, size 24-8 line 3147 [ 946.287964][T23714] binder_alloc: 23694: binder_alloc_buf, no vma [ 946.298112][T23716] binder: 23716 RLIMIT_NICE not set [ 946.298507][T23702] binder: 23692:23702 BC_INCREFS_DONE u0000000000000000 no match [ 946.305784][T23720] binder: 23694:23720 ioctl c0306201 0 returned -14 07:51:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc018620b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 946.328868][T23719] binder: 23694:23719 BC_INCREFS_DONE u0000000000000000 no match [ 946.335836][T23714] binder: 23694:23714 transaction failed 29189/-3, size 24-8 line 3147 [ 946.337597][T31463] binder: release 23694:23695 transaction 2663 out, still active [ 946.347158][T23722] binder: 23721:23722 ioctl c018620b 0 returned -14 [ 946.353215][T23723] binder: BINDER_SET_CONTEXT_MGR already set 07:51:32 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40406300}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 946.389533][T31463] binder: send failed reply for transaction 2663, target dead [ 946.400176][T23723] binder: 23715:23723 ioctl 40046207 0 returned -16 [ 946.409605][T31463] binder: send failed reply for transaction 2666 to 23692:23702 [ 946.418350][T23727] binder: 23721:23727 BC_INCREFS_DONE u0000000000000000 no match [ 946.422048][T23725] binder: 23715:23725 BC_INCREFS_DONE u0000000000000000 no match 07:51:32 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 946.434380][T31463] binder: send failed reply for transaction 2669, target dead [ 946.448510][T23728] binder: 23726:23728 ioctl c018620b 0 returned -14 [ 946.455650][T31463] binder: send failed reply for transaction 2672, target dead [ 946.466109][T23730] binder: 23729:23730 ioctl c018620b 0 returned -14 [ 946.468566][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 946.512697][T23734] binder: 23726:23734 BC_INCREFS_DONE node 2682 has no pending increfs request [ 946.525758][T23734] binder: 23726:23734 ioctl c0306201 0 returned -14 [ 947.132473][T23739] binder: 23721:23739 ioctl c018620b 0 returned -14 [ 947.185167][T23739] binder: 23721:23739 BC_INCREFS_DONE node 2689 has no pending increfs request [ 947.194794][T12061] binder: release 23721:23727 transaction 2688 out, still active [ 947.205349][T12061] binder: unexpected work type, 4, not freed [ 947.219168][T12061] binder: undelivered TRANSACTION_COMPLETE [ 947.225886][T23734] binder_alloc: binder_alloc_mmap_handler: 23726 20001000-20004000 already mapped failed -16 [ 947.242481][T23734] binder: 23726:23734 ioctl c018620b 0 returned -14 [ 947.249989][T23741] binder: BINDER_SET_CONTEXT_MGR already set [ 947.251581][T23735] binder: 23729:23735 ioctl c018620b 0 returned -14 [ 947.258574][T23742] binder_alloc: 23726: binder_alloc_buf, no vma [ 947.269196][T23741] binder: 23726:23741 ioctl 40046207 0 returned -16 [ 947.276093][T23735] binder_alloc: 23726: binder_alloc_buf, no vma [ 947.282577][T23734] binder: 23726:23734 BC_INCREFS_DONE u0000000000000000 no match [ 947.289102][T23744] binder_alloc: 23726: binder_alloc_buf, no vma [ 947.290690][T23741] binder: 23726:23741 ioctl c0306201 0 returned -14 [ 947.302467][T31463] binder: release 23729:23730 transaction 2684 out, still active [ 947.315192][T31463] binder: undelivered TRANSACTION_COMPLETE [ 947.330907][T31463] binder: release 23729:23735 transaction 2685 out, still active [ 947.339841][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 947.346227][T31463] binder: send failed reply for transaction 2681 to 23726:23728 [ 947.354101][T31463] binder: send failed reply for transaction 2684, target dead [ 947.361600][T31463] binder: send failed reply for transaction 2685, target dead [ 947.369122][T31463] binder: send failed reply for transaction 2688, target dead [ 947.376722][T31463] binder: undelivered TRANSACTION_COMPLETE [ 947.382546][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:51:34 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x0, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:34 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:34 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:34 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x3f000000, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc018620c, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:34 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40406301}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 948.439713][T23753] binder: 23748:23753 ioctl c018620b 0 returned -14 [ 948.440404][T23751] binder: 23749:23751 ioctl c018620b 0 returned -14 [ 948.455212][T23753] binder: 23748:23753 got reply transaction with no transaction stack [ 948.462823][T23755] binder: 23750:23755 ioctl c018620b 0 returned -14 [ 948.466507][T23754] binder: 23754 RLIMIT_NICE not set [ 948.471481][T23755] binder: 23750 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 948.471492][T23755] binder: 23750:23755 ioctl c018620c 20000140 returned -22 [ 948.477529][T23753] binder_transaction: 5 callbacks suppressed [ 948.477544][T23753] binder: 23748:23753 transaction failed 29201/-71, size 0-0 line 2899 [ 948.509115][T23753] binder: 23748:23753 BC_INCREFS_DONE u0000000000000000 no match [ 948.517398][T23761] binder: BINDER_SET_CONTEXT_MGR already set [ 948.519490][T23759] binder: 23748:23759 ioctl c018620b 0 returned -14 [ 948.529301][T23761] binder: 23752:23761 ioctl 40046207 0 returned -16 [ 948.530536][T23753] binder: 23748:23753 got reply transaction with no transaction stack [ 948.545205][T23763] binder: 23750:23763 BC_INCREFS_DONE node 2697 has no pending increfs request [ 948.556366][T23763] binder: 23750:23763 ioctl c0306201 0 returned -14 [ 948.558589][T23753] binder: 23748:23753 transaction failed 29201/-71, size 0-0 line 2899 [ 948.571471][T31463] binder: undelivered TRANSACTION_ERROR: 29201 07:51:34 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40486311}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 948.591022][T31463] binder: release 23748:23762 transaction 2706 out, still active [ 948.609206][T23766] binder: 23765:23766 ioctl c018620b 0 returned -14 07:51:34 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x0, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 949.231628][T23772] binder: 23749:23772 ioctl c018620b 0 returned -14 [ 949.239472][T12061] binder: release 23752:23761 transaction 2703 out, still active [ 949.248625][T23763] binder_alloc: binder_alloc_mmap_handler: 23750 20001000-20004000 already mapped failed -16 [ 949.259194][T23772] binder_alloc: 23750: binder_alloc_buf, no vma [ 949.259660][T23763] binder: 23750:23763 ioctl c018620b 0 returned -14 [ 949.270545][T23772] binder: 23749:23772 transaction failed 29189/-3, size 24-8 line 3147 07:51:35 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 949.272755][T23773] binder: 23750 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 949.272767][T23773] binder: 23750:23773 ioctl c018620c 20000140 returned -22 [ 949.301857][T23763] binder: BINDER_SET_CONTEXT_MGR already set [ 949.302378][T23775] binder: 23775 RLIMIT_NICE not set [ 949.309363][T23773] binder_alloc: 23750: binder_alloc_buf, no vma [ 949.318559][T31463] binder: release 23749:23760 transaction 2699 out, still active 07:51:35 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x40000000, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 949.320069][T23763] binder: 23750:23763 ioctl 40046207 0 returned -16 [ 949.342137][T23773] binder: 23750:23773 transaction failed 29189/-3, size 24-8 line 3147 [ 949.348520][T23777] binder: BINDER_SET_CONTEXT_MGR already set [ 949.357980][T23779] binder: 23750:23779 ioctl c0306201 0 returned -14 [ 949.361827][T23777] binder: 23774:23777 ioctl 40046207 0 returned -16 [ 949.365192][T23778] binder: 23750:23778 BC_INCREFS_DONE u0000000000000000 no match [ 949.393491][T12061] binder: send failed reply for transaction 2696 to 23750:23755 [ 949.401527][T23781] binder: 23774:23781 transaction failed 29189/-22, size 24-8 line 2994 [ 949.408230][T23783] binder: 23782:23783 ioctl c018620b 0 returned -14 [ 949.410338][T12061] binder: send failed reply for transaction 2699, target dead [ 949.417284][T23767] binder: 23765:23767 ioctl c018620b 0 returned -14 07:51:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0189436, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 949.437190][T23767] binder: 23765:23767 transaction failed 29189/-22, size 0-0 line 2994 [ 949.447441][T12061] binder: send failed reply for transaction 2703, target dead [ 949.448404][T23777] binder: 23774:23777 BC_INCREFS_DONE u0000000000000000 no match [ 949.469236][T23786] binder: 23782:23786 transaction failed 29189/-22, size 24-8 line 2994 [ 949.478707][T12061] binder: send failed reply for transaction 2706, target dead 07:51:35 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x0, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 949.490513][T23788] binder: 23787:23788 ioctl c018620b 0 returned -14 [ 949.499301][T23786] binder: 23782:23786 ioctl c018620b 0 returned -14 [ 949.499850][T12061] binder: send failed reply for transaction 2709 to 23765:23766 [ 949.510568][T23789] binder: 23765:23789 transaction failed 29189/-22, size 24-8 line 2994 [ 949.517131][T12061] binder: send failed reply for transaction 2710 to 23765:23767 [ 949.530607][T12061] binder: undelivered TRANSACTION_COMPLETE [ 949.536807][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 949.554062][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 949.562799][T23791] binder: 23787:23791 BC_INCREFS_DONE node 2721 has no pending increfs request [ 949.574210][T12061] binder: undelivered TRANSACTION_COMPLETE [ 949.591162][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 949.597905][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 949.604546][T12061] binder: release 23782:23786 transaction 2723 out, still active [ 949.614053][T23794] binder: 23787:23794 ioctl c0306201 0 returned -14 [ 949.626126][T12061] binder: unexpected work type, 4, not freed [ 949.634324][T12061] binder: undelivered TRANSACTION_COMPLETE [ 950.287822][T23794] binder_alloc: binder_alloc_mmap_handler: 23787 20001000-20004000 already mapped failed -16 [ 950.298365][T23791] binder: 23787:23791 ioctl c018620b 0 returned -14 [ 950.299711][T23794] binder: BINDER_SET_CONTEXT_MGR already set [ 950.311907][T23794] binder: 23787:23794 ioctl 40046207 0 returned -16 [ 950.316905][T23799] binder_alloc: 23787: binder_alloc_buf, no vma [ 950.324885][T23799] binder: 23787:23799 transaction failed 29189/-3, size 24-8 line 3147 [ 950.333323][T23794] binder: 23787:23794 ioctl c0306201 0 returned -14 [ 950.341330][T12061] binder: send failed reply for transaction 2720, target dead [ 950.953471][ C1] net_ratelimit: 20 callbacks suppressed [ 950.953480][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 950.964945][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 950.970708][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 950.976469][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 950.982240][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 950.988020][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:51:37 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x0, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:37 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40486312}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:37 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0xfdfdffff, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:37 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x0, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:37 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc020660b, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 951.492257][T23810] binder: 23804:23810 ioctl c018620b 0 returned -14 [ 951.492594][T23807] binder: 23807 RLIMIT_NICE not set [ 951.499270][T23808] binder: 23801:23808 ioctl c018620b 0 returned -14 [ 951.509101][T23809] binder: 23803:23809 ioctl c018620b 0 returned -14 [ 951.519691][T23809] binder: 23803:23809 got reply transaction with no transaction stack [ 951.531696][T23809] binder: 23803:23809 transaction failed 29201/-71, size 0-0 line 2899 [ 951.540508][T23814] binder: BINDER_SET_CONTEXT_MGR already set [ 951.545219][T23809] binder_thread_write: 3 callbacks suppressed [ 951.545229][T23809] binder: 23803:23809 BC_INCREFS_DONE u0000000000000000 no match [ 951.551270][T23814] binder: 23802:23814 ioctl 40046207 0 returned -16 [ 951.561123][T23817] binder: 23804:23817 BC_INCREFS_DONE node 2729 has no pending increfs request [ 951.567532][T23815] binder: 23803:23815 ioctl c018620b 0 returned -14 [ 951.578524][T23817] binder: 23804:23817 ioctl c0306201 0 returned -14 07:51:37 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x1000000, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 951.589283][T23809] binder: 23803:23809 got reply transaction with no transaction stack [ 951.601301][T12061] binder: undelivered TRANSACTION_ERROR: 29201 [ 951.609955][T12061] binder_thread_release: 1 callbacks suppressed [ 951.609964][T12061] binder: release 23803:23819 transaction 2739 out, still active [ 951.646123][T23822] binder: 23821:23822 ioctl c018620b 0 returned -14 [ 951.653321][T23822] binder: 23822 RLIMIT_NICE not set [ 951.673496][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 951.679337][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 951.685180][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 951.690925][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:51:37 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, 0x0) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:38 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 952.283182][T31463] binder: release 23802:23820 transaction 2736 out, still active [ 952.302763][T23816] binder: 23801:23816 ioctl c018620b 0 returned -14 [ 952.303947][T23828] binder_alloc: binder_alloc_mmap_handler: 23804 20001000-20004000 already mapped failed -16 [ 952.327407][T23831] binder_alloc: 23804: binder_alloc_buf, no vma [ 952.327983][T23817] binder: 23804:23817 ioctl c018620b 0 returned -14 [ 952.345393][T23817] binder: BINDER_SET_CONTEXT_MGR already set [ 952.353204][T23817] binder: 23804:23817 ioctl 40046207 0 returned -16 [ 952.354660][T23829] binder: 23801:23829 BC_INCREFS_DONE u0000000000000000 no match [ 952.365256][T23828] binder_alloc: 23804: binder_alloc_buf, no vma [ 952.369158][T31463] binder: release 23801:23816 transaction 2732 out, still active [ 952.378228][T23833] binder: 23833 RLIMIT_NICE not set [ 952.387346][T23828] binder: 23804:23828 ioctl c0306201 0 returned -14 [ 952.389645][T23817] binder: 23804:23817 BC_INCREFS_DONE u0000000000000000 no match [ 952.395351][T12061] binder: send failed reply for transaction 2728 to 23804:23810 [ 952.402916][T23822] binder: 23821:23822 ioctl c018620b 0 returned -14 [ 952.411252][T12061] binder_send_failed_reply: 1 callbacks suppressed [ 952.411258][T12061] binder: send failed reply for transaction 2732, target dead 07:51:38 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0xfffffdfd, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:38 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0xfdfdffff, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:38 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306225, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 952.422196][T23822] binder: 23822 RLIMIT_NICE not set [ 952.441276][T12061] binder: send failed reply for transaction 2736, target dead [ 952.451557][T12061] binder: send failed reply for transaction 2739, target dead [ 952.489053][T12061] binder: send failed reply for transaction 2742 to 23821:23823 [ 952.491560][T23839] binder: 23838:23839 ioctl c018620b 0 returned -14 [ 952.506822][T12061] binder: release 23821:23834 transaction 2751 out, still active [ 952.515199][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 952.528709][T12061] binder: undelivered TRANSACTION_COMPLETE [ 952.528832][T23841] binder: 23840:23841 ioctl c018620b 0 returned -14 [ 952.535020][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 952.542974][T23841] binder: 23840:23841 ioctl c0306225 20000140 returned -22 [ 952.548347][T23843] binder: 23842:23843 ioctl c018620b 0 returned -14 [ 952.561028][T23841] binder: BINDER_SET_CONTEXT_MGR already set [ 952.567919][T23841] binder: 23840:23841 ioctl 40046207 0 returned -16 [ 952.575016][T23843] binder: 23843 RLIMIT_NICE not set [ 952.626666][T23847] binder: 23840:23847 BC_INCREFS_DONE node 2758 has no pending increfs request [ 952.637432][T23847] binder: 23840:23847 ioctl c0306201 0 returned -14 [ 953.154804][T12061] binder: release 23832:23835 transaction 2748 out, still active [ 953.172275][T31463] binder: send failed reply for transaction 2748, target dead [ 953.173442][T23846] binder: 23842:23846 ioctl c018620b 0 returned -14 [ 953.182139][T31463] binder: send failed reply for transaction 2751, target dead [ 953.187102][T23843] binder: 23843 RLIMIT_NICE not set [ 953.206885][T31463] binder: send failed reply for transaction 2754 to 23838:23844 [ 953.224946][T31463] binder: send failed reply for transaction 2757 to 23840:23841 [ 953.234360][T23841] binder_alloc: binder_alloc_mmap_handler: 23840 20001000-20004000 already mapped failed -16 [ 953.237003][T31463] binder: send failed reply for transaction 2760 to 23842:23846 [ 953.247364][T23847] binder: 23840:23847 ioctl c0306225 20000140 returned -22 [ 953.253585][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 953.260330][T23841] binder: 23840:23841 ioctl c018620b 0 returned -14 [ 953.272640][T23847] binder_alloc: 23840: binder_alloc_buf, no vma [ 953.279397][T23841] binder: 23840:23841 BC_INCREFS_DONE u0000000000000000 no match [ 953.280229][T23847] binder: 23840:23847 ioctl c0306201 0 returned -14 [ 953.294364][T23844] binder: 23838:23844 ioctl c018620b 0 returned -14 [ 953.303211][T12061] binder: undelivered TRANSACTION_ERROR: 29189 07:51:40 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, 0x0) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:40 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, 0x0) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:40 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:40 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0xfffffdfd, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:40 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x5, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:40 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x100000000000000, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 954.541458][T23858] binder: 23857:23858 ioctl c018620b 0 returned -14 [ 954.547763][T23860] binder: 23854:23860 ioctl c018620b 0 returned -14 [ 954.555820][T23862] binder: 23862 RLIMIT_NICE not set [ 954.561170][T23860] binder: 23860 RLIMIT_NICE not set [ 954.568876][T23863] binder: 23861:23863 ioctl c018620b 0 returned -14 [ 954.576039][T23863] binder: 23861:23863 unknown command 0 [ 954.581676][T23863] binder: 23861:23863 ioctl c0306201 20000140 returned -22 [ 954.601404][T23866] binder: BINDER_SET_CONTEXT_MGR already set [ 954.607980][T23866] binder: 23855:23866 ioctl 40046207 0 returned -16 [ 954.635614][T23871] binder: 23861:23871 BC_INCREFS_DONE node 2769 has no pending increfs request [ 954.646315][T23871] binder: 23861:23871 ioctl c0306201 0 returned -14 07:51:40 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, 0x0) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 955.341343][T23876] binder: 23857:23876 ioctl c018620b 0 returned -14 [ 955.348715][T23868] binder: 23854:23868 ioctl c018620b 0 returned -14 [ 955.353593][T31463] binder: release 23855:23866 transaction 2777 out, still active [ 955.357248][T23868] binder: 23868 RLIMIT_NICE not set [ 955.364165][T23871] binder_alloc: binder_alloc_mmap_handler: 23861 20001000-20004000 already mapped failed -16 [ 955.375608][T23879] binder_alloc: 23861: binder_alloc_buf, no vma 07:51:41 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, 0x0, 0x0) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:41 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x3f00000000000000, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 955.392706][T31463] binder: release 23857:23877 transaction 2780 out, still active [ 955.395432][T23879] binder_transaction: 6 callbacks suppressed [ 955.395447][T23879] binder: 23854:23879 transaction failed 29189/-3, size 24-8 line 3147 [ 955.406938][T23871] binder: 23861:23871 ioctl c018620b 0 returned -14 [ 955.422939][T23868] binder: 23854:23868 BC_INCREFS_DONE u0000000000000000 no match [ 955.439154][T31463] binder: release 23857:23869 transaction 2771 out, still active [ 955.451917][T23880] binder: 23861:23880 unknown command 0 [ 955.455136][T23882] binder: 23881:23882 ioctl c018620b 0 returned -14 [ 955.467049][T23887] binder_alloc: 23861: binder_alloc_buf, no vma [ 955.473677][T23886] binder: BINDER_SET_CONTEXT_MGR already set 07:51:41 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x100000000000000, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 955.489924][T23888] binder: 23888 RLIMIT_NICE not set [ 955.496528][T23887] binder: 23861:23887 transaction failed 29189/-3, size 24-8 line 3147 [ 955.498449][T23880] binder: 23861:23880 ioctl c0306201 20000140 returned -22 [ 955.509723][T23871] binder: 23861:23871 BC_INCREFS_DONE u0000000000000000 no match [ 955.520669][T23887] binder: 23861:23887 ioctl c0306201 0 returned -14 [ 955.530017][T23886] binder: 23861:23886 ioctl 40046207 0 returned -16 [ 955.532094][T31463] binder: send failed reply for transaction 2768 to 23861:23863 [ 955.538023][T23891] binder: 23890:23891 ioctl c018620b 0 returned -14 [ 955.545069][T23882] binder: 23881:23882 transaction failed 29189/-22, size 24-8 line 2994 [ 955.558204][T23891] binder: 23891 RLIMIT_NICE not set [ 955.559650][T31463] binder: send failed reply for transaction 2771, target dead [ 955.578454][T31463] binder: send failed reply for transaction 2774 to 23854:23868 07:51:41 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x2, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:41 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x4000000000000000, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 955.586339][T23882] binder: 23881:23882 BC_INCREFS_DONE u0000000000000000 no match [ 955.599509][T23893] binder: 23881:23893 ioctl c018620b 0 returned -14 [ 955.609850][T31463] binder: send failed reply for transaction 2777, target dead [ 955.639637][T23897] binder: 23896:23897 ioctl c018620b 0 returned -14 [ 955.649064][T31463] binder: send failed reply for transaction 2780, target dead [ 955.679300][T31463] binder: release 23881:23889 transaction 2793 out, still active [ 955.681308][T23897] binder: 23896:23897 unknown command 0 [ 955.695985][T23901] binder: 23899:23901 ioctl c018620b 0 returned -14 [ 955.698122][T31463] binder: undelivered TRANSACTION_COMPLETE [ 955.709064][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 955.711049][T23897] binder: 23896:23897 ioctl c0306201 20000140 returned -22 [ 955.715794][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 955.730252][T23897] binder: BINDER_SET_CONTEXT_MGR already set [ 955.736442][T23897] binder: 23896:23897 ioctl 40046207 0 returned -16 [ 955.789798][T23903] binder: 23896:23903 BC_INCREFS_DONE node 2797 has no pending increfs request [ 955.799537][T23903] binder: 23896:23903 ioctl c0306201 0 returned -14 [ 956.266547][T31463] binder: release 23885:23892 transaction 2787 out, still active [ 956.280081][T12061] binder: send failed reply for transaction 2787, target dead [ 956.288114][T12061] binder: send failed reply for transaction 2790 to 23890:23894 [ 956.296109][T12061] binder: send failed reply for transaction 2793, target dead [ 956.301373][T23891] binder: 23890:23891 ioctl c018620b 0 returned -14 [ 956.325590][T23894] binder: 23890:23894 transaction failed 29189/-22, size 24-8 line 2994 [ 956.329771][T12061] binder: send failed reply for transaction 2796 to 23896:23897 [ 956.334474][T23891] binder: 23891 RLIMIT_NICE not set [ 956.342269][T23897] binder_alloc: binder_alloc_mmap_handler: 23896 20001000-20004000 already mapped failed -16 [ 956.352428][T23894] binder: 23890:23894 BC_INCREFS_DONE u0000000000000000 no match [ 956.361964][T12061] binder: send failed reply for transaction 2799 to 23899:23902 [ 956.373031][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 956.379792][T23903] binder: 23896:23903 unknown command 0 [ 956.388818][T23903] binder: 23896:23903 ioctl c0306201 20000140 returned -22 [ 956.395277][T23897] binder: 23896:23897 ioctl c018620b 0 returned -14 [ 956.398348][T23906] binder_alloc: 23896: binder_alloc_buf, no vma [ 956.409844][T23906] binder: 23896:23906 transaction failed 29189/-3, size 24-8 line 3147 [ 956.418385][T23897] binder: 23896:23897 BC_INCREFS_DONE u0000000000000000 no match [ 956.418420][T23903] binder: 23896:23903 ioctl c0306201 0 returned -14 [ 956.472506][T23908] binder: 23899:23908 ioctl c018620b 0 returned -14 [ 956.484118][T23908] binder: 23899:23908 transaction failed 29189/-22, size 24-8 line 2994 [ 956.492599][T23902] binder: 23899:23902 BC_INCREFS_DONE u0000000000000000 no match [ 956.492760][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 957.193452][ C1] net_ratelimit: 20 callbacks suppressed [ 957.193463][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 957.204954][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 957.210738][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 957.216503][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 957.222266][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 957.228042][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:51:43 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, 0x0) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:43 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:43 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, 0x0, 0x0) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:43 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0xfdfdffff00000000, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:43 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x3, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:43 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0xfdfdffff00000000, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 957.586236][T23913] binder: 23912:23913 ioctl c018620b 0 returned -14 [ 957.598120][T23916] binder: 23914:23916 ioctl c018620b 0 returned -14 [ 957.607608][T23918] binder: 23918 RLIMIT_NICE not set [ 957.614081][T23913] binder: 23913 RLIMIT_NICE not set [ 957.615621][T23916] binder: 23914:23916 unknown command 0 [ 957.619678][T23920] binder: 23910:23920 ioctl c018620b 0 returned -14 [ 957.625304][T23916] binder: 23914:23916 ioctl c0306201 20000140 returned -22 [ 957.653458][T23923] binder: BINDER_SET_CONTEXT_MGR already set [ 957.659486][T23923] binder: 23911:23923 ioctl 40046207 0 returned -16 [ 957.686677][T23927] binder: 23914:23927 BC_INCREFS_DONE node 2808 has no pending increfs request [ 957.699816][T23927] binder: 23914:23927 ioctl c0306201 0 returned -14 [ 957.913499][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 957.919361][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 957.925182][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 957.930931][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:51:43 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 958.384597][T23926] binder: 23910:23926 ioctl c018620b 0 returned -14 [ 958.388720][T23924] binder: 23912:23924 ioctl c018620b 0 returned -14 [ 958.396454][T23927] binder_alloc: binder_alloc_mmap_handler: 23914 20001000-20004000 already mapped failed -16 [ 958.406296][T23933] binder_alloc: 23914: binder_alloc_buf, no vma [ 958.423936][T31463] binder: release 23911:23923 transaction 2813 out, still active 07:51:44 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, 0x0, 0x0) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 958.428518][T23924] binder: 23924 RLIMIT_NICE not set [ 958.437951][T12061] binder: release 23910:23926 transaction 2816 out, still active [ 958.448359][T23927] binder: 23914:23927 ioctl c018620b 0 returned -14 [ 958.456427][T23937] binder: 23914:23937 unknown command 0 [ 958.460519][T23935] binder_alloc: 23914: binder_alloc_buf, no vma [ 958.470829][T23933] binder: 23910:23933 transaction failed 29189/-3, size 24-8 line 3147 [ 958.471836][T23939] binder: 23939 RLIMIT_NICE not set 07:51:44 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630b}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 958.485821][T23935] binder: 23912:23935 transaction failed 29189/-3, size 24-8 line 3147 [ 958.494576][T31463] binder: release 23912:23924 transaction 2810 out, still active [ 958.503117][T23937] binder: 23914:23937 ioctl c0306201 20000140 returned -22 [ 958.527184][T23943] binder: BINDER_SET_CONTEXT_MGR already set [ 958.546915][T23945] binder: 23944:23945 ioctl c018620b 0 returned -14 [ 958.551781][T23943] binder: 23938:23943 ioctl 40046207 0 returned -16 [ 958.558659][T23945] binder: 23944:23945 ERROR: BC_REGISTER_LOOPER called without request [ 958.560227][T23940] binder: BINDER_SET_CONTEXT_MGR already set 07:51:44 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe13129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 958.560259][T23940] binder: 23914:23940 ioctl 40046207 0 returned -16 [ 958.573567][T23946] binder_alloc: 23914: binder_alloc_buf, no vma [ 958.587386][T23948] binder: 23947:23948 ioctl c018620b 0 returned -14 [ 958.593017][T23946] binder: 23938:23946 transaction failed 29189/-3, size 24-8 line 3147 [ 958.594734][T23927] binder: 23914:23927 BC_INCREFS_DONE u0000000000000000 no match [ 958.604553][T23949] binder_alloc: 23914: binder_alloc_buf, no vma [ 958.611533][T23937] binder: 23914:23937 ioctl c0306201 0 returned -14 [ 958.622050][T31463] binder: send failed reply for transaction 2807 to 23914:23916 [ 958.626478][T23943] binder: 23938:23943 BC_INCREFS_DONE u0000000000000000 no match [ 958.631564][T31463] binder: send failed reply for transaction 2810, target dead [ 958.640750][T23949] binder: 23944:23949 transaction failed 29189/-3, size 24-8 line 3147 [ 958.652424][T23950] binder: 23944:23950 BC_INCREFS_DONE u0000000000000000 no match [ 958.655209][T23942] binder_alloc: 23914: binder_alloc_buf, no vma [ 958.663841][T31463] binder: send failed reply for transaction 2813, target dead 07:51:44 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x4, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:44 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 958.677953][T23951] binder: 23947:23951 BC_INCREFS_DONE u0000000000000000 no match [ 958.693884][T31463] binder: send failed reply for transaction 2816, target dead [ 958.721834][T31463] binder: undelivered TRANSACTION_COMPLETE [ 958.733869][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 958.749009][T23957] binder: 23956:23957 ioctl c018620b 0 returned -14 [ 958.803037][T23959] binder: 23956:23959 ioctl c0306201 0 returned -14 [ 959.344823][T23950] binder: 23944:23950 ioctl c018620b 0 returned -14 [ 959.351660][T23949] binder: 23944:23949 ERROR: BC_REGISTER_LOOPER called without request [ 959.361442][T12061] binder: release 23944:23962 transaction 2829 out, still active [ 959.394704][T23951] binder: 23947:23951 ioctl c018620b 0 returned -14 [ 959.404602][T12061] binder: release 23947:23965 transaction 2832 out, still active [ 959.534272][T23959] binder_alloc: binder_alloc_mmap_handler: 23956 20001000-20004000 already mapped failed -16 [ 959.545222][T23959] binder: 23956:23959 ioctl c018620b 0 returned -14 [ 959.545875][T23966] binder: BINDER_SET_CONTEXT_MGR already set [ 959.557970][T23966] binder: 23956:23966 ioctl 40046207 0 returned -16 [ 959.562776][T23967] binder_alloc: 23956: binder_alloc_buf, no vma [ 959.570997][T23959] binder: 23956:23959 BC_INCREFS_DONE u0000000000000000 no match [ 959.571024][T23966] binder: 23956:23966 ioctl c0306201 0 returned -14 [ 959.585751][T12061] binder: release 23956:23959 transaction 2826 out, still active [ 959.594879][T12061] binder: send failed reply for transaction 2826, target dead [ 959.602479][T12061] binder: send failed reply for transaction 2829, target dead [ 959.610349][T12061] binder: send failed reply for transaction 2832, target dead 07:51:46 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, 0x0) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:46 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(0xffffffffffffffff, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:51:46 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:46 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x630d}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:46 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c12"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x5, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 960.633549][T23973] binder: 23969:23973 ioctl c018620b 0 returned -14 [ 960.644096][T23975] binder: 23974:23975 ioctl c018620b 0 returned -14 [ 960.647699][T23977] binder: 23971:23977 ioctl c018620b 0 returned -14 [ 960.651967][T23973] binder_set_nice: 4 callbacks suppressed [ 960.651973][T23973] binder: 23973 RLIMIT_NICE not set [ 960.667734][T23976] binder: 23976 RLIMIT_NICE not set [ 960.697910][T23984] binder_transaction: 3 callbacks suppressed [ 960.697926][T23984] binder: 23974:23984 transaction failed 29189/-22, size 24-8 line 2994 [ 960.710329][T23985] binder: 23971:23985 ioctl c0306201 0 returned -14 [ 960.719589][T23986] binder: BINDER_SET_CONTEXT_MGR already set [ 960.723276][T23984] binder: 23974:23984 BC_INCREFS_DONE u0000000000000000 no match [ 960.726344][T23986] binder: 23972:23986 ioctl 40046207 0 returned -16 07:51:46 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(0xffffffffffffffff, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 961.426028][T23983] binder: 23969:23983 ioctl c018620b 0 returned -14 [ 961.434208][T23993] binder: 23974:23993 ioctl c018620b 0 returned -14 [ 961.442186][T23994] binder_alloc: binder_alloc_mmap_handler: 23971 20001000-20004000 already mapped failed -16 [ 961.448347][T23993] binder_alloc: 23971: binder_alloc_buf, no vma [ 961.452449][T31463] binder: release 23972:23986 transaction 2844 out, still active [ 961.464645][T23993] binder: 23974:23993 transaction failed 29189/-3, size 24-8 line 3147 07:51:47 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 961.468869][T23983] binder: 23983 RLIMIT_NICE not set [ 961.475870][T23996] binder_alloc: 23971: binder_alloc_buf, no vma [ 961.486735][T23985] binder: 23971:23985 ioctl c018620b 0 returned -14 [ 961.492263][T23984] binder: 23974:23984 BC_INCREFS_DONE u0000000000000000 no match [ 961.494454][T23994] binder: BINDER_SET_CONTEXT_MGR already set 07:51:47 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x6312}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 961.521077][T23994] binder: 23971:23994 ioctl 40046207 0 returned -16 [ 961.533838][T23983] binder: 23969:23983 BC_INCREFS_DONE u0000000000000000 no match [ 961.535736][T12061] binder: release 23969:23983 transaction 2841 out, still active [ 961.547466][T23998] binder_alloc: 23971: binder_alloc_buf, no vma [ 961.556308][T23996] binder: 23969:23996 transaction failed 29189/-3, size 24-8 line 3147 [ 961.569000][T23985] binder: 23971:23985 BC_INCREFS_DONE u0000000000000000 no match [ 961.596787][T23994] binder: 23971:23994 ioctl c0306201 0 returned -14 [ 961.597833][T24000] binder: 24000 RLIMIT_NICE not set [ 961.608966][T23998] binder: 23971:23998 transaction failed 29189/-3, size 24-8 line 3147 [ 961.625748][T24003] binder: 24002:24003 ioctl c018620b 0 returned -14 [ 961.625870][T31463] binder: release 23971:23985 transaction 2838 out, still active [ 961.633289][T24003] binder: 24002:24003 unknown command 25362 07:51:47 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r0 = creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) ioctl$KVM_DEASSIGN_DEV_IRQ(r0, 0x4040ae75, &(0x7f0000000040)={0xf117, 0x2, 0xfffffffffffffff7, 0x2}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) fadvise64(r0, 0x0, 0x8, 0x4) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:47 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x6, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 961.642201][T31463] binder: send failed reply for transaction 2838, target dead [ 961.664194][T31463] binder: send failed reply for transaction 2841, target dead [ 961.671960][T31463] binder: send failed reply for transaction 2844, target dead [ 961.675587][T24003] binder: 24002:24003 ioctl c0306201 20000140 returned -22 [ 961.687527][T24006] binder: 24005:24006 ioctl c018620b 0 returned -14 07:51:47 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(0xffffffffffffffff, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 961.709255][T24006] binder: 24006 RLIMIT_NICE not set [ 961.712361][T24010] binder: 24009:24010 ioctl c018620b 0 returned -14 [ 961.735257][T24008] binder: 24002:24008 ioctl c018620b 0 returned -14 [ 961.742046][T24003] binder: 24002:24003 unknown command 25362 [ 961.753661][T24003] binder: 24002:24003 ioctl c0306201 20000140 returned -22 [ 961.766136][T31463] binder: release 24002:24008 transaction 2854 out, still active [ 961.774792][T24016] binder: BINDER_SET_CONTEXT_MGR already set [ 961.780966][T24016] binder: 24009:24016 ioctl 40046207 0 returned -16 [ 961.794542][T24016] binder: 24009:24016 ioctl c0306201 0 returned -14 [ 962.394982][T12061] binder: send failed reply for transaction 2851, target dead [ 962.396558][T24006] binder: 24005:24006 ioctl c018620b 0 returned -14 [ 962.402542][T12061] binder: send failed reply for transaction 2857 to 24005:24014 [ 962.416292][T24006] binder: 24006 RLIMIT_NICE not set [ 962.417039][T12061] binder: send failed reply for transaction 2863 to 24009:24016 [ 962.422327][T24014] binder: 24005:24014 transaction failed 29189/-22, size 24-8 line 2994 [ 962.438805][T24021] binder: 24005:24021 BC_INCREFS_DONE u0000000000000000 no match [ 962.449089][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 962.507932][T24023] binder_alloc: binder_alloc_mmap_handler: 24009 20001000-20004000 already mapped failed -16 [ 962.518389][T24016] binder: 24009:24016 ioctl c018620b 0 returned -14 [ 962.525282][T24023] binder: 24009:24023 transaction failed 29189/-22, size 24-8 line 2994 [ 962.533820][T24023] binder: 24009:24023 ioctl c0306201 0 returned -14 [ 962.541076][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 963.433500][ C1] net_ratelimit: 20 callbacks suppressed [ 963.433509][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 963.445000][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 963.450766][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 963.456543][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 963.462302][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 963.468062][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:51:49 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:49 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046302}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:49 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, 0x0, 0x0) 07:51:49 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:49 executing program 4: r0 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100)='TIPCv2\x00') sendmsg$TIPC_NL_PUBL_GET(r0, &(0x7f00000001c0)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000180)={&(0x7f0000000580)={0x148, r1, 0x802, 0x70bd2a, 0x25dfdbfc, {}, [@TIPC_NLA_NET={0x50, 0x7, [@TIPC_NLA_NET_NODEID={0xc, 0x3, 0xb60}, @TIPC_NLA_NET_ID={0x8}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x7}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x3}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0xffffffffffffffff}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x8f45}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x2}]}, @TIPC_NLA_MEDIA={0x28, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_PROP={0x14, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x40}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}]}, @TIPC_NLA_BEARER={0x98, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e20, 0x5, @mcast1, 0x7107}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x8, @ipv4={[], [], @local}, 0x1d3e}}}}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e24, 0x100000000, @local, 0x8}}, {0x14, 0x2, @in={0x2, 0x4e20, @local}}}}, @TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'eth', 0x3a, 'vxcan1\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x4}]}, @TIPC_NLA_NET={0x24, 0x7, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x1}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x2}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x3ff}]}]}, 0x148}}, 0x4) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:49 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x7, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 963.672159][T24034] binder: 24031:24034 ioctl c018620b 0 returned -14 [ 963.676694][T24030] binder: 24029:24030 ioctl c018620b 0 returned -14 [ 963.685917][T24033] binder: 24033 RLIMIT_NICE not set [ 963.692102][T24026] binder: 24025:24026 ioctl c018620b 0 returned -14 [ 963.692120][T24034] binder: BC_ACQUIRE_RESULT not supported [ 963.700316][T24026] binder: 24026 RLIMIT_NICE not set [ 963.705129][T24034] binder: 24031:24034 ioctl c0306201 20000140 returned -22 [ 963.719607][T24034] binder: 24031:24034 transaction failed 29189/-22, size 24-8 line 2994 [ 963.730864][T24034] binder_thread_write: 1 callbacks suppressed [ 963.730879][T24034] binder: 24031:24034 BC_INCREFS_DONE u0000000000000000 no match [ 963.748876][T24041] binder: 24031:24041 ioctl c018620b 0 returned -14 [ 963.755831][T24034] binder: BC_ACQUIRE_RESULT not supported [ 963.761600][T24034] binder: 24031:24034 ioctl c0306201 20000140 returned -22 07:51:49 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046304}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 963.768931][T24042] binder: BINDER_SET_CONTEXT_MGR already set [ 963.775047][T24042] binder: 24029:24042 ioctl 40046207 0 returned -16 [ 963.782670][T24042] binder: 24029:24042 ioctl c0306201 0 returned -14 [ 963.782871][T31463] binder_thread_release: 2 callbacks suppressed [ 963.782884][T31463] binder: release 24031:24043 transaction 2877 out, still active [ 963.845622][T24047] binder: 24046:24047 ioctl c018620b 0 returned -14 [ 964.153571][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 964.159448][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 964.165270][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 964.171123][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:51:49 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, 0x0, 0x0) [ 964.456219][T24055] binder: 24025:24055 ioctl c018620b 0 returned -14 [ 964.467790][T24056] binder_alloc: binder_alloc_mmap_handler: 24029 20001000-20004000 already mapped failed -16 [ 964.467999][T24040] binder: 24040 RLIMIT_NICE not set [ 964.484186][T31463] binder: release 24032:24038 transaction 2871 out, still active [ 964.492428][T31463] binder: release 24025:24055 transaction 2887 out, still active 07:51:50 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x0, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:50 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r0 = creat(0x0, 0x0) write$eventfd(r0, &(0x7f00000003c0)=0xfffffffffffff0f7, 0x8) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) syz_execute_func(&(0x7f0000000380)="c4e22dbfb4b300000100c4e101fa500fc4c3f90bcb5dc4e24dba20c4c18d57bf8600000065f20f1a5a770f3801020f01eec4e169e0e2dbb903000000") shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100)='TIPCv2\x00') sendmsg$TIPC_NL_LINK_RESET_STATS(r0, &(0x7f00000001c0)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000180)={&(0x7f0000000580)={0x130, r2, 0x21, 0x70bd26, 0x25dfdbfe, {}, [@TIPC_NLA_LINK={0x88, 0x4, [@TIPC_NLA_LINK_PROP={0x2c, 0x7, [@TIPC_NLA_PROP_MTU={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xe}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x1}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x480}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_PROP={0x14, 0x7, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}]}, @TIPC_NLA_NET={0x44, 0x7, [@TIPC_NLA_NET_NODEID={0xc, 0x3, 0x8}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x8}, @TIPC_NLA_NET_ID={0x8, 0x1, 0xacc}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x8}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x1}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0xfffffffffffffffd}]}, @TIPC_NLA_MEDIA={0x50, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x24, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}, @TIPC_NLA_PROP_MTU={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfffffffeffffffff}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}]}]}, 0x130}, 0x1, 0x0, 0x0, 0x20000040}, 0x1) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 964.503215][T24042] binder: 24029:24042 ioctl c018620b 0 returned -14 [ 964.512217][T31463] binder_send_failed_reply: 2 callbacks suppressed [ 964.512224][T31463] binder: send failed reply for transaction 2871, target dead [ 964.520861][T31463] binder: send failed reply for transaction 2874 to 24025:24040 [ 964.534219][T31463] binder: send failed reply for transaction 2877, target dead [ 964.542128][T31463] binder: send failed reply for transaction 2880 to 24029:24042 [ 964.550788][T24056] binder_alloc: 24029: binder_alloc_buf, no vma [ 964.562986][T31463] binder: send failed reply for transaction 2884 to 24046:24048 [ 964.568057][T24059] binder: 24059 RLIMIT_NICE not set [ 964.583591][T31463] binder: send failed reply for transaction 2887, target dead [ 964.584872][T24056] binder: 24029:24056 transaction failed 29189/-3, size 24-8 line 3147 [ 964.591500][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 964.605520][T24042] binder: 24029:24042 BC_INCREFS_DONE u0000000000000000 no match [ 964.608617][T24061] binder: 24060:24061 ioctl c018620b 0 returned -14 [ 964.614171][T24063] binder: BINDER_SET_CONTEXT_MGR already set [ 964.621834][T24062] binder: 24029:24062 ioctl c0306201 0 returned -14 [ 964.633138][T24048] binder: 24046:24048 ioctl c018620b 0 returned -14 [ 964.635141][T24063] binder: 24057:24063 ioctl 40046207 0 returned -16 [ 964.641967][T24065] binder_alloc: 24029: binder_alloc_buf, no vma 07:51:50 executing program 4: r0 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x3) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$PPPOEIOCDFWD(r0, 0xb101, 0x0) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 964.649545][T24063] binder: 24057:24063 transaction failed 29189/-22, size 24-8 line 2994 [ 964.660536][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 964.663053][T24063] binder: 24057:24063 BC_INCREFS_DONE u0000000000000000 no match [ 964.673519][T24065] binder: 24046:24065 transaction failed 29189/-3, size 24-8 line 3147 [ 964.698937][T24064] binder: 24046:24064 BC_INCREFS_DONE u0000000000000000 no match 07:51:50 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x48, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 964.699534][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 964.726786][T24068] binder: 24067:24068 ioctl c018620b 0 returned -14 [ 964.769347][T24072] binder: 24071:24072 ioctl c018620b 0 returned -14 [ 964.790711][T24074] binder: 24067:24074 BC_INCREFS_DONE u0000000000000000 no match [ 964.833087][T24075] binder: 24071:24075 ioctl c0306201 0 returned -14 [ 965.521291][T24077] binder: 24067:24077 ioctl c018620b 0 returned -14 [ 965.528959][T12061] binder: release 24067:24078 transaction 2900 out, still active [ 965.557096][T24079] binder_alloc: binder_alloc_mmap_handler: 24071 20001000-20004000 already mapped failed -16 [ 965.570705][T24075] binder: 24071:24075 ioctl c018620b 0 returned -14 [ 965.571112][T24079] binder: BINDER_SET_CONTEXT_MGR already set [ 965.584179][T24079] binder: 24071:24079 ioctl 40046207 0 returned -16 [ 965.587979][T24080] binder_alloc: 24071: binder_alloc_buf, no vma [ 965.598360][T24075] binder: 24071:24075 BC_INCREFS_DONE u0000000000000000 no match [ 965.598386][T24079] binder: 24071:24079 ioctl c0306201 0 returned -14 [ 965.613058][T12061] binder: send failed reply for transaction 2897 to 24071:24075 [ 965.621388][T12061] binder: send failed reply for transaction 2900, target dead [ 965.634882][T12061] binder: undelivered TRANSACTION_ERROR: 29189 07:51:52 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:52 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40046307}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:52 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, 0x0, 0x0) 07:51:52 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x0, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:52 executing program 4: r0 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ubi_ctrl\x00', 0x2, 0x0) openat(r0, &(0x7f0000000080)='./file0\x00', 0x40002000, 0x138) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r1 = creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') fcntl$setstatus(r1, 0x4, 0x6800) ioctl$VIDIOC_S_TUNER(r1, 0x4054561e, &(0x7f0000000480)={0x0, "8ebd49206ea220b13106c1eefcea72504fb4681db9d6d0e0a50e89844c1e8c0e", 0x3, 0x4, 0x5, 0x8, 0x2, 0x3, 0x800, 0x4}) r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, 0x0) r3 = socket$inet6(0xa, 0x8000f, 0x3c3) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="0c630000a28fe201cbde7b30958785d5e18a7cd9ecbe8dae778564123699f1cffe48080700000000000000b45262f89e66d0cb49d21c1c6d4e18c237073d1e25159c95921b161e2447bb0872a30a8506e1bc80662ad80e"], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x3) setsockopt$inet6_MRT6_DEL_MFC_PROXY(r3, 0x29, 0xd3, &(0x7f0000000380)={{0xa, 0x4e24, 0x20, @mcast2, 0xe99}, {0xa, 0x4e24, 0x2, @initdev={0xfe, 0x88, [], 0x1, 0x0}, 0x8}, 0x3, [0x5, 0x80, 0x40, 0x7, 0x6, 0x101, 0x44, 0x40]}, 0x5c) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x800) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_POOL(r0, 0x4058534c, &(0x7f0000000180)={0x200, 0x6, 0x5, 0x4, 0x40, 0xa53}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="086310403b840bc5f5bf24738bfcb87dac5316fb7bd6ef5e2434aa2cb63e799b0e03123f3a7cd192bef70befd887db817abe9fdb8608", @ANYRES64=0x0, @ANYBLOB="c540742ddeb56a8fffc20f71aa5990000000"], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:52 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x4c, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 966.690003][T24089] binder: 24084:24089 ioctl c018620b 0 returned -14 [ 966.701476][T24088] binder_set_nice: 3 callbacks suppressed [ 966.701483][T24088] binder: 24088 RLIMIT_NICE not set [ 966.707329][T24083] binder: 24082:24083 ioctl c018620b 0 returned -14 [ 966.707435][T24083] binder: 24082:24083 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 966.713874][T24092] binder: 24091:24092 ioctl c018620b 0 returned -14 [ 966.735941][T24092] binder: 24092 RLIMIT_NICE not set [ 966.749577][T24096] binder: BINDER_SET_CONTEXT_MGR already set [ 966.757386][T24096] binder: 24084:24096 ioctl 40046207 0 returned -16 [ 966.765280][T24096] binder: 24084:24096 ioctl c0306201 0 returned -14 [ 966.782324][T24100] binder: 24091:24100 BC_INCREFS_DONE u7324bff5c50b843b no match 07:51:52 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340), 0x0) [ 967.483034][T24106] binder: 24082:24106 ioctl c018620b 0 returned -14 [ 967.485820][T31463] binder: release 24087:24095 transaction 2905 out, still active [ 967.498797][T24096] binder_alloc: binder_alloc_mmap_handler: 24084 20001000-20004000 already mapped failed -16 [ 967.504488][T24100] binder: 24091:24100 ioctl c018620b 0 returned -14 [ 967.510586][T24096] binder: 24084:24096 ioctl c018620b 0 returned -14 [ 967.522510][T24098] binder: 24082:24098 DecRefs 0 refcount change on invalid ref 0 ret -22 07:51:53 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x0, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 967.524986][T24108] binder: 24108 RLIMIT_NICE not set [ 967.536403][T24107] binder: BINDER_SET_CONTEXT_MGR already set [ 967.542840][T24107] binder: 24084:24107 ioctl 40046207 0 returned -16 [ 967.542915][T31463] binder: send failed reply for transaction 2905, target dead [ 967.551490][T24110] binder_transaction: 2 callbacks suppressed [ 967.551504][T24110] binder: 24084:24110 transaction failed 29189/-22, size 24-8 line 2994 [ 967.569360][T24096] binder: 24084:24096 BC_INCREFS_DONE u0000000000000000 no match [ 967.579709][T24106] binder: 24082:24106 transaction failed 29189/-22, size 24-8 line 2994 [ 967.579887][T24100] binder: 24091:24100 transaction failed 29189/-22, size 24-8 line 2994 [ 967.594134][T24098] binder: 24082:24098 BC_INCREFS_DONE u0000000000000000 no match [ 967.605627][T31463] binder: send failed reply for transaction 2908 to 24082:24098 [ 967.607958][T24110] binder: 24084:24110 ioctl c0306201 0 returned -14 [ 967.613542][T24113] binder: 24113 RLIMIT_NICE not set 07:51:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x68, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 967.631209][T31463] binder: send failed reply for transaction 2911 to 24084:24096 [ 967.641778][T24108] binder: 24091:24108 BC_INCREFS_DONE u7324bff5c50b843b no match [ 967.650877][T31463] binder: send failed reply for transaction 2914 to 24091:24100 07:51:53 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40086303}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 967.673956][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 967.682760][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 967.706086][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:51:53 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_INFO(r0, 0xc08c5334, &(0x7f0000000480)={0x4, 0x6, 0x2, 'queue1\x00', 0x7}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="08631040", @ANYRES64=0x0, @ANYBLOB="ffffffffa848b3d8a940c2fffffffa000000"], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 967.720541][T24119] binder: 24118:24119 ioctl c018620b 0 returned -14 07:51:53 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340), 0x0) [ 967.746864][T24121] binder: 24120:24121 ioctl c018620b 0 returned -14 [ 967.761529][T24123] binder: 24122:24123 ioctl c018620b 0 returned -14 [ 967.768739][T24123] binder: 24123 RLIMIT_NICE not set [ 967.774486][T24121] binder: 24120:24121 BC_FREE_BUFFER u0000000000000000 no match [ 967.787370][T24125] binder: BINDER_SET_CONTEXT_MGR already set [ 967.801788][T24125] binder: 24118:24125 ioctl 40046207 0 returned -16 [ 967.816068][T24128] binder: 24122:24128 BC_INCREFS_DONE u0000000000000000 node 2925 cookie mismatch d8b348a8ffffffff != 0000000000000000 [ 967.817200][T24125] binder: 24118:24125 ioctl c0306201 0 returned -14 [ 968.380488][T31463] binder: release 24112:24115 transaction 2921 out, still active [ 968.393235][T12061] binder: send failed reply for transaction 2921, target dead [ 968.410302][T12061] binder: send failed reply for transaction 2924 to 24122:24128 [ 968.418797][T12061] binder: send failed reply for transaction 2927 to 24118:24125 [ 968.433413][T12061] binder: send failed reply for transaction 2930 to 24120:24129 [ 968.516335][T24125] binder_alloc: binder_alloc_mmap_handler: 24118 20001000-20004000 already mapped failed -16 [ 968.527013][T24125] binder: 24118:24125 ioctl c018620b 0 returned -14 [ 968.527752][T24135] binder_alloc: 24118: binder_alloc_buf, no vma [ 968.540945][T24129] binder: 24120:24129 ioctl c018620b 0 returned -14 [ 968.547656][T24135] binder: 24118:24135 transaction failed 29189/-3, size 24-8 line 3147 [ 968.556161][T24134] binder: 24118:24134 ioctl c0306201 0 returned -14 [ 968.556508][T24129] binder: 24120:24129 BC_FREE_BUFFER u0000000000000000 no match [ 968.564166][T24137] binder: 24120:24137 transaction failed 29189/-22, size 24-8 line 2994 [ 968.571264][T24128] binder: 24122:24128 ioctl c018620b 0 returned -14 [ 968.584134][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 968.585900][T24128] binder: 24128 RLIMIT_NICE not set [ 968.597463][T24138] binder: 24122:24138 transaction failed 29189/-22, size 24-8 line 2994 [ 968.613733][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 968.619943][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:51:55 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:55 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340), 0x0) 07:51:55 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x0, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x6c, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:55 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) syz_open_dev$admmidi(&(0x7f0000000040)='/dev/admmidi#\x00', 0x5, 0x80) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:55 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x4008630a}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 969.673457][ C1] net_ratelimit: 20 callbacks suppressed [ 969.673465][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 969.684927][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 969.690709][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 969.696486][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 969.702252][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 969.708028][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 969.748135][T24148] binder: 24147:24148 ioctl c018620b 0 returned -14 [ 969.755778][T24146] binder: 24145:24146 ioctl c018620b 0 returned -14 [ 969.759834][T24153] binder: 24149:24153 ioctl c018620b 0 returned -14 [ 969.767626][T24146] binder: 24146 RLIMIT_NICE not set [ 969.770083][T24148] binder: BC_ATTEMPT_ACQUIRE not supported [ 969.782157][T24148] binder: 24147:24148 ioctl c0306201 20000140 returned -22 [ 969.790699][T24148] binder: 24147:24148 transaction failed 29189/-22, size 24-8 line 2994 [ 969.799464][T24150] binder: 24150 RLIMIT_NICE not set [ 969.806858][T24148] binder_thread_write: 1 callbacks suppressed [ 969.806869][T24148] binder: 24147:24148 BC_INCREFS_DONE u0000000000000000 no match [ 969.815926][T24156] binder: 24145:24156 transaction failed 29189/-22, size 24-8 line 2994 [ 969.825330][T24157] binder: 24147:24157 ioctl c018620b 0 returned -14 [ 969.831323][T24156] binder: 24145:24156 BC_INCREFS_DONE u0000000000000000 no match 07:51:55 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40086310}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 969.840160][T24158] binder: 24149:24158 ioctl c0306201 0 returned -14 [ 969.850704][T24148] binder: BC_ATTEMPT_ACQUIRE not supported [ 969.850851][T24161] binder: BINDER_SET_CONTEXT_MGR already set [ 969.860509][T24148] binder: 24147:24148 ioctl c0306201 20000140 returned -22 [ 969.862846][T24161] binder: 24142:24161 ioctl 40046207 0 returned -16 [ 969.872529][T12061] binder: release 24147:24159 transaction 2943 out, still active [ 969.909188][T24164] binder: 24163:24164 ioctl c018620b 0 returned -14 [ 969.916402][T24164] binder: 24163:24164 BC_DEAD_BINDER_DONE 0000000000000000 not found 07:51:55 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{0x0}], 0x1) [ 970.393455][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 970.399448][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 970.405281][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 970.411017][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 970.541603][T24156] binder: 24145:24156 ioctl c018620b 0 returned -14 [ 970.541607][T24171] binder: 24171 RLIMIT_NICE not set [ 970.546250][T24172] binder: 24145:24172 BC_INCREFS_DONE node 2953 has no pending increfs request [ 970.553503][T12061] binder: release 24142:24161 transaction 2946 out, still active [ 970.558677][T24173] binder_alloc: binder_alloc_mmap_handler: 24149 20001000-20004000 already mapped failed -16 [ 970.569294][T31463] binder: release 24145:24171 transaction 2952 out, still active 07:51:56 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x0, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:56 executing program 4: r0 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r1 = creat(0x0, 0xf) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x800) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, 0x0) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000100)={0x0}, &(0x7f0000000180)=0xc) write$cgroup_pid(r1, &(0x7f00000001c0)=r3, 0x12) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000200)=ANY=[@ANYBLOB="2700ff0400000100000076234a2c28630000"], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$VIDIOC_S_DV_TIMINGS(r0, 0xc0845657, &(0x7f0000000480)={0x0, @reserved}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000040)=ANY=[@ANYBLOB="8509e7fe8a6c3c2c1171de5298782a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) mknodat(r1, &(0x7f00000000c0)='./file0\x00', 0x81a6, 0x0) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') r4 = semget(0x2, 0x0, 0x10) semctl$GETPID(r4, 0x1, 0xb, &(0x7f0000000580)=""/160) [ 970.578232][T24158] binder: 24149:24158 ioctl c018620b 0 returned -14 [ 970.594558][T24173] binder: BINDER_SET_CONTEXT_MGR already set [ 970.616858][T24173] binder: 24149:24173 ioctl 40046207 0 returned -16 [ 970.617026][T24174] binder_alloc: 24149: binder_alloc_buf, no vma [ 970.632369][T24177] binder: 24177 RLIMIT_NICE not set [ 970.638389][T24174] binder: 24149:24174 transaction failed 29189/-3, size 24-8 line 3147 [ 970.652384][T24158] binder: 24149:24158 BC_INCREFS_DONE u0000000000000000 no match [ 970.662052][T24179] binder: 24178:24179 ioctl c018620b 0 returned -14 [ 970.668951][T24174] binder: 24149:24174 ioctl c0306201 0 returned -14 [ 970.669663][T24179] binder: 24178:24179 unknown command 83820583 [ 970.678426][T31463] binder: release 24149:24158 transaction 2940 out, still active [ 970.682456][T24179] binder: 24178:24179 ioctl c0306201 20000140 returned -22 [ 970.689917][T24180] binder: BINDER_SET_CONTEXT_MGR already set [ 970.707802][T24165] binder: 24163:24165 ioctl c018620b 0 returned -14 [ 970.714688][T24179] binder_alloc: 24149: binder_alloc_buf, no vma [ 970.718197][T24165] binder: 24163:24165 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 970.721150][T31463] binder: send failed reply for transaction 2940, target dead 07:51:56 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x74, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 970.733228][T24183] binder: 24163:24183 transaction failed 29189/-22, size 24-8 line 2994 [ 970.737006][T24180] binder: 24175:24180 ioctl 40046207 0 returned -16 [ 970.756011][T31463] binder: send failed reply for transaction 2943, target dead [ 970.763762][T24182] binder: 24175:24182 BC_INCREFS_DONE u0000000000000000 no match [ 970.771863][T24184] binder: 24178:24184 BC_INCREFS_DONE u0000000000000000 no match [ 970.779901][T31463] binder: send failed reply for transaction 2946, target dead 07:51:56 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x400c630e}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 970.798197][T31463] binder: send failed reply for transaction 2949 to 24163:24165 [ 970.814269][T24184] binder: 24178:24184 ioctl c018620b 0 returned -14 [ 970.825996][T31463] binder: send failed reply for transaction 2952, target dead [ 970.835324][T24179] binder: 24178:24179 unknown command 83820583 [ 970.841647][T24187] binder: 24186:24187 ioctl c018620b 0 returned -14 [ 970.851980][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 970.859024][T24179] binder: 24178:24179 ioctl c0306201 20000140 returned -22 [ 970.875768][T24189] binder: 24178:24189 BC_INCREFS_DONE u0000000000000000 no match [ 970.892767][T24192] binder: 24191:24192 ioctl c018620b 0 returned -14 [ 970.900384][T24192] binder: 24191:24192 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 970.915513][T24193] binder: 24186:24193 ioctl c0306201 0 returned -14 [ 971.604250][T24193] binder_alloc: binder_alloc_mmap_handler: 24186 20001000-20004000 already mapped failed -16 [ 971.615233][T24193] binder: 24186:24193 ioctl c018620b 0 returned -14 [ 971.622001][T24193] binder: BINDER_SET_CONTEXT_MGR already set [ 971.628091][T24193] binder: 24186:24193 ioctl 40046207 0 returned -16 [ 971.628205][T24196] binder_alloc: 24186: binder_alloc_buf, no vma [ 971.643887][T24193] binder: 24186:24193 BC_INCREFS_DONE u0000000000000000 no match [ 971.644883][T24196] binder: 24186:24196 ioctl c0306201 0 returned -14 [ 971.658743][T12061] binder: release 24186:24193 transaction 2961 out, still active [ 971.667167][T12061] binder: send failed reply for transaction 2961, target dead [ 971.674725][T12061] binder: send failed reply for transaction 2964 to 24191:24194 [ 971.690563][T24194] binder: 24191:24194 ioctl c018620b 0 returned -14 [ 971.698193][T24194] binder: 24191:24194 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 971.709512][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:51:58 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(0xffffffffffffffff, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:58 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{0x0}], 0x1) 07:51:58 executing program 4: r0 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.cpu/syz1\x00', 0x200002, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:58 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x0, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:58 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x7a, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:51:58 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x400c630f}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 972.785746][T24206] binder: 24204:24206 ioctl c018620b 0 returned -14 [ 972.793073][T24211] binder: 24205:24211 ioctl c018620b 0 returned -14 [ 972.797815][T24206] binder: 24204:24206 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 972.804428][T24210] binder: 24201:24210 ioctl c018620b 0 returned -14 [ 972.811918][T24207] binder: 24207 RLIMIT_NICE not set [ 972.814823][T24210] binder: 24210 RLIMIT_NICE not set [ 972.843685][T24214] binder_transaction: 5 callbacks suppressed [ 972.843702][T24214] binder: 24204:24214 transaction failed 29189/-22, size 24-8 line 2994 [ 972.858358][T24216] binder: BINDER_SET_CONTEXT_MGR already set [ 972.864510][T24216] binder: 24205:24216 ioctl 40046207 0 returned -16 [ 972.884284][T24214] binder: 24204:24214 BC_INCREFS_DONE u0000000000000000 no match 07:51:58 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(0xffffffffffffffff, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) [ 972.884920][T24216] binder: 24205:24216 ioctl c0306201 0 returned -14 07:51:58 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(0xffffffffffffffff, 0xa, 0x12) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:58 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x0) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:58 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x0) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:58 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x0) fcntl$setownex(r1, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:59 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(0xffffffffffffffff, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:51:59 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{0x0}], 0x1) [ 973.580723][T24214] binder: 24204:24214 ioctl c018620b 0 returned -14 [ 973.583645][T12061] binder: release 24203:24217 transaction 2971 out, still active [ 973.588567][T24246] binder_alloc: binder_alloc_mmap_handler: 24205 20001000-20004000 already mapped failed -16 [ 973.595524][T24218] binder: 24201:24218 ioctl c018620b 0 returned -14 [ 973.605557][T24243] binder: 24243 RLIMIT_NICE not set [ 973.617962][T24214] binder: 24204:24214 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 07:51:59 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x0, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 973.629990][T12061] binder: release 24204:24247 transaction 2980 out, still active [ 973.634000][T24216] binder: 24205:24216 ioctl c018620b 0 returned -14 [ 973.652838][T24246] binder: BINDER_SET_CONTEXT_MGR already set [ 973.660061][T24243] binder: 24201:24243 BC_INCREFS_DONE u0000000000000000 no match [ 973.675141][T24246] binder: 24205:24246 ioctl 40046207 0 returned -16 [ 973.675370][T12061] binder: send failed reply for transaction 2971, target dead [ 973.681800][T24249] binder: 24205:24249 transaction failed 29189/-22, size 24-8 line 2994 [ 973.681921][T24216] binder: 24205:24216 BC_INCREFS_DONE u0000000000000000 no match 07:51:59 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0xfffffffffffffffb) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB='\f\x00\x00\x00'], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:51:59 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40106308}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:51:59 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x300, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 973.723677][T24253] binder: 24253 RLIMIT_NICE not set [ 973.741986][T24255] binder: 24254:24255 ioctl c018620b 0 returned -14 [ 973.752336][T12061] binder: send failed reply for transaction 2974 to 24201:24218 [ 973.771595][T24259] binder: 24256:24259 ioctl c018620b 0 returned -14 [ 973.779204][T12061] binder: send failed reply for transaction 2977 to 24205:24216 [ 973.787543][T24259] binder: 24256:24259 unknown command 12 [ 973.798134][T24261] binder: 24260:24261 ioctl c018620b 0 returned -14 [ 973.799959][T24259] binder: 24256:24259 ioctl c0306201 20000140 returned -22 [ 973.805603][T12061] binder: send failed reply for transaction 2980, target dead 07:51:59 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) [ 973.819861][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 973.826206][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 973.861524][T24263] binder: 24256:24263 BC_INCREFS_DONE node 2992 has no pending increfs request [ 973.871553][T24264] binder: BINDER_SET_CONTEXT_MGR already set [ 973.879016][T24264] binder: 24260:24264 ioctl 40046207 0 returned -16 [ 973.888131][T24264] binder: 24260:24264 ioctl c0306201 0 returned -14 07:52:00 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:52:00 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x0, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 974.516680][T31463] binder: release 24252:24258 transaction 2985 out, still active [ 974.531496][T12061] binder: send failed reply for transaction 2985, target dead [ 974.539258][T12061] binder: send failed reply for transaction 2988 to 24254:24262 [ 974.547140][T12061] binder: send failed reply for transaction 2991 to 24256:24259 [ 974.555183][T12061] binder: send failed reply for transaction 2994 to 24260:24264 [ 974.563872][T24262] binder: 24254:24262 ioctl c018620b 0 returned -14 [ 974.570703][T24263] binder: 24256:24263 ioctl c018620b 0 returned -14 [ 974.577496][T24278] binder: 24254:24278 transaction failed 29189/-22, size 24-8 line 2994 [ 974.586908][T24276] binder: 24276 RLIMIT_NICE not set [ 974.592386][T24259] binder: 24256:24259 unknown command 12 [ 974.598337][T24281] binder_alloc: binder_alloc_mmap_handler: 24260 20001000-20004000 already mapped failed -16 [ 974.602301][T24259] binder: 24256:24259 ioctl c0306201 20000140 returned -22 07:52:00 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40106309}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 974.614847][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 974.620293][T24280] binder: 24256:24280 transaction failed 29189/-22, size 24-8 line 2994 [ 974.640720][T24264] binder: 24260:24264 ioctl c018620b 0 returned -14 [ 974.650265][T24281] binder: BINDER_SET_CONTEXT_MGR already set 07:52:00 executing program 4: r0 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) sendmsg$nl_route_sched(r0, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x440}, 0xc, &(0x7f0000000100)={&(0x7f0000000980)=@newtaction={0x4220, 0x30, 0x400, 0x70bd27, 0x25dfdbfe, {}, [{0xdc, 0x1, @m_simple={0xd8, 0x1f, {{0xc, 0x1, 'simple\x00'}, {0x30, 0x2, [@TCA_DEF_PARMS={0x18, 0x2, {0x80000001, 0x3, 0x20000000, 0x7, 0x6e38e85d}}, @TCA_DEF_DATA={0x14, 0x3, '#vboxnet0^self\\\x00'}]}, {0x94, 0x6, "8bf788a2b9923f878da79b8bb13868afbee983e13c6024797b4cb1bd58a5b43f2a6221d2b111fae0d9ab040edf3ec6d1008347df007e0b1e931232fa1725ecbc1c80fa1e6488f288ea16173929abfed5d3f3826c880a24bab9f8cca3342504b97e0c3b8c43f8138fd01de1bca84d8b495b924b2476d2563585cbf32e18fa01e164055b403ad52d65d6f62c0ebeee8883"}}}}, {0x108, 0x1, @m_tunnel_key={0x104, 0x9, {{0x10, 0x1, 'tunnel_key\x00'}, {0x6c, 0x2, [@TCA_TUNNEL_KEY_ENC_IPV6_DST={0x14, 0x6, @empty}, @TCA_TUNNEL_KEY_ENC_IPV4_DST={0x8, 0x4, @dev={0xac, 0x14, 0x14, 0x11}}, @TCA_TUNNEL_KEY_ENC_IPV6_SRC={0x14, 0x5, @mcast1}, @TCA_TUNNEL_KEY_ENC_KEY_ID={0x8, 0x7, 0x20}, @TCA_TUNNEL_KEY_ENC_IPV6_SRC={0x14, 0x5, @local}, @TCA_TUNNEL_KEY_ENC_DST_PORT={0x8, 0x9, 0x4e22}, @TCA_TUNNEL_KEY_ENC_IPV6_DST={0x14, 0x6, @local}]}, {0x80, 0x6, "a10fe8d8c12ce68f62e7c6c52d1b46e31fa08d2322e24f8117ed3c32a3b1d5996129d96ae3de2e475e18e496b12ad20da2c8640a669ff90284a93a8bea5f86ea56753d96d56d6197752de5aa9c0930b9ff2c336e62a6687df925620695095403c0375bd87cfc23bee9797bf8cfc100ab5b3be412ff91d45c5509b8"}}}}, {0x4b4, 0x1, @m_police={0x4b0, 0x15, {{0xc, 0x1, 'police\x00'}, {0x454, 0x2, [@TCA_POLICE_RESULT={0x8, 0x5, 0x9}, @TCA_POLICE_TBF={0x3c, 0x1, {0x0, 0x3, 0x800, 0x200, 0x4, {0x9, 0x3, 0xe7, 0x4, 0xfffffffffffffffc, 0x8001}, {0xffff, 0x2, 0x4, 0x9, 0x73e, 0x7f}, 0x1ff, 0x8, 0x3}}, @TCA_POLICE_AVRATE={0x8, 0x4, 0x40}, @TCA_POLICE_RATE={0x404, 0x2, [0x62, 0x6, 0x8, 0x0, 0x6, 0x329, 0x0, 0x5a, 0xbe74, 0x2789, 0xfffffffffffff9e0, 0x100000001, 0x3, 0x4, 0x5, 0xffff, 0x7fffffff, 0x81, 0x100, 0x1, 0xfb, 0x9, 0x80000001, 0x0, 0xff, 0x7, 0x7, 0xfffffffffffff1c2, 0xfffffffffffffffc, 0x0, 0x35f0983c, 0x7fff, 0x200, 0x3, 0x7f, 0x9, 0xfffffffffffff800, 0xffffffff, 0x1, 0x1, 0x100000001, 0x3, 0x40, 0x6, 0x1, 0xab, 0x2328, 0x2cc7, 0x8000, 0x8fb5, 0x65, 0x1, 0x3ff, 0x9, 0xda22, 0x3, 0xffff, 0x5, 0x5, 0x9, 0x9, 0xf2, 0x7, 0x8, 0x1, 0x1, 0x8000, 0x400, 0x8001, 0x80000000, 0x2, 0xbe90, 0x8, 0x3, 0x4, 0x9, 0x8, 0x3, 0x3, 0xcda, 0x9, 0x80000001, 0x6, 0xffffffff7fffffff, 0x9, 0x7fff, 0xe32, 0x80000001, 0x9, 0x1000, 0x5, 0x7, 0x7, 0x80000001, 0x1, 0x3, 0x400, 0x1, 0xe592, 0x9, 0x0, 0x1, 0x7, 0x8, 0xe000000000000000, 0x90, 0xa99e, 0x80, 0xfffffffffffff49a, 0x8000, 0x3, 0x8, 0x79148d0b, 0x6, 0x1, 0x0, 0x7fff, 0x9, 0x1, 0xa5b8, 0x2, 0xed, 0x90f5, 0x9, 0xae, 0x1, 0x8, 0x80000001, 0x7, 0x1, 0x80000001, 0x5dd6, 0x80, 0x2, 0x401, 0x2, 0xbd, 0x7ff, 0xff, 0x80, 0x0, 0x9, 0x9, 0x200, 0x8, 0x7f, 0x63, 0x2, 0x5, 0x1fc9, 0x401, 0x8001, 0xffac, 0x0, 0x1, 0xfffffffffffff001, 0x800, 0xffffffffffff0bc3, 0x1000, 0x3f, 0x20, 0x6, 0x4, 0xd3f, 0x2, 0x6, 0x20, 0x2, 0x7, 0x2, 0x10000, 0x8000, 0x80000001, 0x9, 0x18, 0x401, 0x5, 0x1, 0xd74, 0x5, 0x7, 0xffffffffffff0000, 0x1, 0x7, 0x7, 0xe9, 0x1ec, 0x200, 0x9, 0x8, 0x9, 0x20, 0x4, 0x1, 0x1c00000000, 0xfd, 0xcc, 0x3c13, 0xaf0, 0x1, 0x80, 0x800, 0x9, 0x8, 0x4, 0x3f, 0x2, 0x4, 0x4, 0x100000000, 0xfffffffffffffc00, 0x100000001, 0x7, 0x7fffffff, 0x6, 0x5, 0x80, 0x8, 0x2, 0x7a71, 0x81, 0x2, 0x8, 0x3ff, 0x4, 0xa4b, 0x2, 0x7, 0x8, 0x76c, 0xc959, 0x5f, 0x7fff, 0x9f3, 0x100, 0xaab, 0x9, 0x0, 0x15, 0x9, 0x1, 0x7, 0x9, 0xffffffff, 0x1, 0x1ff, 0xf, 0x1, 0x3, 0x7f, 0x5, 0x7, 0x1, 0x3, 0xffffffff, 0x8]}]}, {0x48, 0x6, "43f3f58ffd0912620c76dba13ad95d0baaed0284e86f14bac4e1d05392cf88df463dd23c7e497624132035fdbf0252b5fbc41d40598d2f541886e4d091419256acd95c4a"}}}}, {0x9c, 0x1, @m_nat={0x98, 0x1a, {{0x8, 0x1, 'nat\x00'}, {0x2c, 0x2, @TCA_NAT_PARMS={0x28, 0x1, {{0x0, 0x7, 0xffffffffffffffff, 0x81, 0x7}, @local, @dev={0xac, 0x14, 0x14, 0x29}}}}, {0x5c, 0x6, "0fd22580a2fba54ff5d8d3458aaaf7aeb244fe3ebf803e7705d31034107b7d3c04ecf982d75288a4e635a4849cbad739f48a9118bde8da2660469cab41e9710f9dcbbf4d1a353efc13c5a6399bf79c884bb53c909c3f54"}}}}, {0x58, 0x1, @m_nat={0x54, 0x1b, {{0x8, 0x1, 'nat\x00'}, {0x2c, 0x2, @TCA_NAT_PARMS={0x28, 0x1, {{0x6, 0x9, 0x8, 0xe9, 0x1}, @multicast2, @loopback, 0xffffffff}}}, {0x18, 0x6, "f3f5e2a50a648f3acc2e2b57961466e7315355"}}}}, {0x3a80, 0x1, @m_pedit={0x3a7c, 0x1e, {{0xc, 0x1, 'pedit\x00'}, {0x3a4c, 0x2, [@TCA_PEDIT_PARMS_EX={0xe80, 0x4, {{{0xdf, 0xff, 0x20000005, 0x9, 0x3f}, 0x5, 0x10000, [{0x482, 0x6, 0x7, 0x7, 0x6, 0x3ff}, {0x2, 0x6, 0x200, 0xc93, 0x3, 0x6}, {0x6, 0x1000, 0x0, 0x2, 0x100000000, 0x8000}, {0xfdf, 0x100000001, 0x7fffffff, 0x3fffffffc00, 0x3, 0x3}]}, [{0x40, 0x1000000000000, 0xffffffffffffffff, 0x37, 0x101, 0xfffffffffffffffc}, {0x66, 0xfffffffffffffff9, 0x2, 0xe4, 0x1, 0x2}, {0xffffffff, 0x4, 0x80000001, 0x9, 0xfff, 0x7}, {0x908, 0x0, 0x40, 0x40, 0xff, 0xffffffff}, {0x3, 0x3, 0x91e1, 0x7, 0x2, 0x20}, {0x3, 0x0, 0x8000000000, 0x7fff, 0xffff, 0x8}, {0x401, 0x5, 0xcc, 0x7ff4, 0x80000000, 0x3}, {0x1000, 0x453606ba, 0x3, 0x5, 0x101, 0x6c03b221}, {0x7, 0x12c0, 0x8, 0x20, 0x9, 0x1}, {0x1, 0x1, 0x0, 0xff, 0x0, 0x7}, {0x100, 0x2, 0x3, 0x4, 0x1cbc, 0x2}, {0xfffffffffffffff7, 0xfffffffffffff800, 0x1000, 0xe7b, 0x9, 0xfa}, {0xf379, 0x4, 0x0, 0x0, 0xc381, 0x2}, {0x3, 0x2, 0x3, 0x80000001, 0x1f}, {0x6, 0x8, 0x6, 0x7ff, 0x6, 0x8818}, {0x1, 0x87a7, 0x9, 0x4, 0x10001, 0x8}, {0xfffffffffffffff8, 0x32f, 0x8000, 0x100000000, 0x4, 0x7}, {0x80000001, 0x1f, 0x3, 0xffc0000000, 0x1ff, 0x2}, {0x9132, 0x3, 0x10000, 0x800, 0x8de, 0x5}, {0x9, 0x1f, 0x6, 0xfffffffffffffff8, 0x7ff, 0x5}, {0xffffffffffffffc1, 0x2, 0x3ff, 0x1000, 0x8001, 0xebd}, {0x1, 0x9, 0x0, 0xd52a, 0x80000000, 0x7}, {0x52b, 0x1, 0x4, 0x8, 0x43, 0x5}, {0x4, 0x4eeb13e3, 0x4, 0x10000, 0x4, 0x2}, {0x7, 0x52e0, 0x7fff, 0x9c, 0x0, 0x6}, {0x400, 0x429, 0x400, 0x3, 0x1, 0xc4d6}, {0x20, 0x9, 0x0, 0x0, 0x400, 0x4}, {0x3, 0x3, 0x3f2, 0x20, 0x7, 0x2d6816d0}, {0x8001, 0x8, 0x2, 0x7ff, 0x7cd, 0x6}, {0x7, 0x9, 0x7, 0x146, 0x1, 0x59e}, {0xfff, 0x5, 0x7, 0x1d64, 0xfffffffffffff000, 0x617}, {0x2, 0xfffffffffffffffc, 0x40, 0x2, 0x7, 0x4}, {0x75ce, 0x7fffffff, 0x8, 0x0, 0x8, 0x7}, {0x5, 0x0, 0x3, 0x3, 0x401, 0x40}, {0x5, 0x7, 0x0, 0x8, 0x4, 0x2}, {0x1, 0x0, 0x1, 0x401, 0x0, 0xf6}, {0x6, 0x31, 0x44d, 0x2, 0x44, 0x3}, {0x9, 0x9, 0x2, 0x3ff, 0x8000, 0x20000}, {0xd6, 0x8, 0x75ec, 0x9, 0x3046, 0x216}, {0x10001, 0xffffffff, 0x101, 0x1f, 0x100000001, 0x2}, {0x1f, 0x54, 0x4, 0x0, 0x1bab, 0x3}, {0x0, 0x9, 0x3, 0x0, 0x100, 0xfffffffffffffffd}, {0x2, 0x8ab, 0x80000001, 0x5, 0x4, 0x10001}, {0x8001, 0x4, 0x100, 0x3, 0x3, 0x8}, {0x4, 0x1, 0x7fff, 0x4, 0x400, 0x4e}, {0x9, 0xea1e, 0x3, 0xc20, 0xb4, 0x3}, {0x1, 0x800, 0x1, 0xffffffffffffd2b0, 0xffffffffffffff00, 0x8000}, {0x78, 0x101, 0x6, 0x3, 0x101, 0x807}, {0x80, 0x8, 0x5, 0x2, 0x10001, 0x6}, {0xf, 0x9, 0x8, 0x8, 0x101, 0x80}, {0x100000001, 0x74570745, 0x40, 0x3, 0x8255, 0xfff}, {0x1ff, 0x3f, 0x100, 0x2, 0x546, 0x5}, {0x200, 0x1, 0x4, 0x8e, 0xa4, 0x100000000}, {0xc7, 0x2, 0x5, 0x0, 0x1}, {0x0, 0x5f2, 0x7e5, 0x3, 0x1, 0x80000001}, {0xfff, 0x2, 0x20, 0x1, 0x80000001, 0xf00}, {0x5, 0x5, 0x6d, 0x17, 0x81, 0x40}, {0x5, 0xd8, 0x907, 0x9, 0x8001, 0x2}, {0xbff, 0xd9, 0x40, 0x3, 0x448, 0xa5b}, {0x9, 0x8001, 0x32d, 0xff, 0xffffffff, 0x81}, {0x8000, 0xffff, 0x0, 0x3, 0x4ecce4ea, 0x532f}, {0x6, 0x2, 0xed, 0x0, 0x7f, 0xe3fa}, {0x0, 0x4, 0xffffffff, 0x0, 0x1, 0x7}, {0x1f, 0x4, 0xfff, 0xf04, 0x7c21, 0x3}, {0x0, 0x7, 0x7ff, 0x5, 0x10000}, {0x9, 0x9, 0x3, 0x2, 0x289, 0x503a}, {0x2, 0xfffffffffffffff9, 0x7, 0xb65d, 0x0, 0x4}, {0xfffffffffffffffd, 0x3f, 0x7f, 0x8, 0xfff, 0x8001}, {0x6, 0x32, 0x7, 0x7fffffff, 0x9, 0x9}, {0x8, 0x2, 0x401, 0x8, 0x8000, 0x1}, {0xa4, 0x4, 0x7, 0xfffe00000000000, 0x1, 0x7}, {0x8, 0x1, 0x1, 0x8001, 0x6b, 0x4}, {0x2, 0x6, 0x80, 0x200, 0x7, 0x1000}, {0xfffffffffffffff7, 0x9, 0x3, 0x8, 0x6, 0x2}, {0x10001, 0x40, 0x10000, 0x9, 0x6, 0x4}, {0x7, 0x800, 0xdaba, 0x0, 0x2}, {0x3f, 0x5, 0x100, 0xe2b, 0x8, 0x5}, {0x401, 0x0, 0x2, 0x7fffffff, 0x9, 0x8000}, {0x9, 0x0, 0x2, 0x5, 0x7, 0x10000}, {0x7fff, 0x2f, 0x4, 0x3, 0x80000001, 0x6}, {0x6, 0x5, 0x6, 0x10001, 0x8, 0x80}, {0x100, 0x20, 0x0, 0x0, 0x4, 0x100000000}, {0xa8, 0xac8, 0x49, 0x2, 0x6, 0x3ff}, {0x8, 0x5, 0x8, 0x2f0, 0x1, 0x7587}, {0x1, 0x0, 0x5, 0xfffffffffffffffb, 0x6, 0x8}, {0x80000000, 0x81, 0x5, 0x4, 0x2, 0x1}, {0x0, 0x2, 0x64a58803, 0x15, 0x40000000000000, 0x4}, {0x6, 0x2, 0x4, 0x3568, 0x4, 0x200}, {0xa98e, 0x80000000, 0x7fff, 0x3ff, 0x4, 0x9}, {0x3ff, 0xfffffffffffffff9, 0x5, 0x7, 0x8001, 0x5}, {0x0, 0x3f, 0x6, 0x89, 0x1, 0x100000000}, {0x5, 0x1, 0x2, 0x6, 0xff, 0x1}, {0x9, 0x0, 0x3, 0x9, 0x8, 0x1}, {0xfff, 0x8001, 0x4, 0x400, 0x4}, {0xaadd, 0x4c84, 0x1, 0x98, 0x7, 0x80}, {0x3f, 0x5, 0x9, 0x20000000000, 0x9f, 0x80}, {0x5, 0x10000, 0x9, 0x9, 0xff, 0x100000000}, {0x7fffffff, 0x786, 0x6, 0x2, 0x1, 0x5}, {0x8, 0x0, 0x7, 0x25b0, 0x4, 0x8}, {0xffffffffffffff81, 0x2, 0x0, 0x1f, 0x218b, 0x80000000}, {0x9, 0x4, 0x1000, 0x40, 0xcb, 0x7}, {0x69, 0xfffffffffffffff8, 0x9, 0x7fffffff, 0xbeb, 0x80000001}, {0x6c, 0x8, 0x5, 0xd1, 0x1, 0x2}, {0x9, 0xf88000000000, 0x2, 0x2, 0xde, 0x8}, {0x7, 0x2, 0x5, 0x4, 0x4, 0x3}, {0xc37, 0x9, 0x81, 0x4, 0x6, 0x3ff}, {0x8, 0x401, 0x100000000, 0x9, 0x9, 0x7e}, {0x100000000, 0x4, 0x2, 0x85e6, 0x5, 0xdf11}, {0x1f, 0x7, 0x800, 0x12110f55, 0x2, 0x9}, {0x3, 0x8000, 0xcd9, 0x0, 0x3ff, 0x80000001}, {0xc0, 0x5, 0xfffffffffffffffd, 0x800, 0xfffffffffffffffc, 0x2}, {0x3, 0x55, 0x20000000000000, 0x3, 0x4, 0x3}, {0x100, 0x8, 0x8001, 0xfffffffffffffffb, 0x36b0}, {0x1000, 0x6, 0x3, 0x200, 0x4, 0x5}, {0x0, 0x6, 0x2, 0x7, 0x6, 0x7}, {0x8, 0x800, 0x286c, 0x5, 0x0, 0x1}, {0x1, 0x3, 0x9, 0x2, 0x0, 0x1f}, {0x1ff, 0x101, 0x5, 0x3, 0x3, 0x100000000}, {0x9, 0x0, 0x40, 0x7, 0xffff, 0x6}, {0x4, 0xfffffffffffffff7, 0x0, 0x1, 0x7f, 0x62}, {0x7fffffff, 0x3, 0x8, 0xd5, 0x5, 0x2}, {0xef, 0x1, 0x3, 0xfffffffffffffff9, 0x16bc, 0x8}, {0x5, 0xfffffffffffffffd, 0x100000000, 0x10000, 0x3, 0xb8}, {0x2, 0x76f6, 0x0, 0xab7f, 0x7, 0x800}, {0x34, 0x0, 0x14f6, 0x1, 0xffffffffffff0000, 0x3}, {0x8001, 0x1, 0x0, 0x6, 0x3, 0xad}, {0x2, 0x101, 0x200, 0x2, 0x5, 0x3}, {0x101, 0xd7, 0x7, 0xf617, 0x1, 0x1}], [{0x7}, {0x3, 0x1}, {0x5}, {0x3, 0x1}, {0x1, 0x1}, {0x7, 0x1}, {0x7, 0x1}, {0x3, 0x1}, {0x2, 0x1}, {0x3}, {0x1}, {0x1}, {0x0, 0x1}, {0x3}, {0x3}, {0x0, 0x1}, {0x3}, {0x1, 0x1}, {0x7}, {0x5}, {0x1, 0x1}, {0x5, 0x1}, {0x7}, {0x7, 0x1}, {0x4}, {0x3}, {0x5, 0x1}, {0x7, 0x1}, {0x7}, {0x7}, {0x4}, {0x2}, {0x3}, {0x3, 0x1}, {0x4}, {0x3, 0x1}, {0x5, 0x1}, {0x5, 0x1}, {0x7}, {0x0, 0x1}, {0x2, 0x1}, {0x3, 0x1}, {0x142533be6a35d5b0}, {0x7, 0x1}, {0x0, 0x1}, {0x2, 0x1}, {0x2}, {0x5}, {0x7}, {0x5, 0x1}, {0x3}, {0x5}, {0x4}, {0x3, 0x1}, {0x1, 0x1}, {0x7}, {0x3}, {0x5}, {0x5}, {0x5, 0x1}, {0x1}, {0x3}, {0x2, 0x1}, {0x5, 0x1}, {0x3}, {0x7}, {0x3}, {}, {0x0, 0x1}, {0x5}, {0x6, 0x1}, {0x7, 0x1}, {0x2, 0x1}, {0x3}, {0x4, 0x1}, {0x3}, {0x3, 0x1}, {0x2}, {0x3, 0x1}, {0x5, 0x1}, {}, {0x7}, {0x3, 0x1}, {0x4}, {0x7}, {0x2, 0x1}, {0x3}, {0x3, 0x1}, {0x1, 0x1}, {}, {0x1}, {0x4, 0x1}, {0x5, 0x1}, {0x4, 0x1}, {0x2}, {0x2, 0x1}, {0x4, 0x1}, {0x0, 0x1}, {0x7}, {0x3, 0x1}, {0x4, 0x1}, {}, {0x4, 0x1}, {}, {0x7, 0x1}, {0x7, 0x1}, {0x3}, {0x4, 0x1}, {0x1, 0x1}, {}, {0x3, 0x1}, {0x5}, {0x1}, {0x5, 0x1}, {0x5}, {}, {0x3}, {0x1, 0x1}, {0x4}, {}, {0x0, 0x1}, {0x0, 0x1}, {0x3}, {0x1}, {0x7}, {0x5}, {0x5, 0x1}, {0x7}]}}, @TCA_PEDIT_PARMS_EX={0xf10, 0x4, {{{0x97, 0x3b06, 0x20000000, 0x3, 0x1}, 0x0, 0x6, [{0x5a, 0x6, 0x206, 0x7, 0xfab, 0x81}, {0x3, 0x6, 0x602, 0x309b, 0x6, 0x7}, {0xffff, 0x6, 0x8001, 0x7, 0x400, 0x2}, {0x7, 0x10001, 0x1fffe000000000, 0x4, 0x11e58a41, 0x8}, {0x8, 0x0, 0x7, 0xae, 0x2, 0x8}, {0x80000001, 0x0, 0x20, 0x8, 0x16ce5da5, 0x2}, {0x412, 0x10000, 0x1, 0x1f, 0xffff, 0xffff}, {0x6, 0x9a, 0x8, 0x0, 0x4, 0x3}, {0x0, 0xffffffff, 0x6b3, 0x6, 0xffffffff, 0xffffffffffffff15}, {0x9, 0x100000001, 0x0, 0x0, 0x0, 0x100000001}]}, [{0x6, 0x2, 0x401, 0x3, 0x5fb7f02c, 0xfff}, {0x0, 0x200, 0x5, 0x6, 0x7fffffff, 0x1}, {0x8001, 0x3, 0x6, 0x1, 0x2, 0x7}, {0x1000, 0x9, 0x7, 0x1000, 0x8, 0x9}, {0x29, 0x81, 0x100, 0x2, 0x3f, 0xea1}, {0x7ff, 0x9, 0xad, 0x2, 0xffffffff, 0x3ff}, {0x156aa0, 0x6, 0x80000000, 0x6, 0x6e8, 0x7}, {0x1, 0x7f, 0x4, 0x3b21, 0x0, 0x9}, {0x3, 0x3ff, 0x7fff, 0x9b7, 0x2, 0x2}, {0x8179, 0x48, 0x54c, 0x1, 0x2}, {0x6, 0x3, 0x1e, 0x40, 0x45, 0x7cd}, {0x9, 0x7ff, 0x80, 0x9, 0x9, 0xfffffffffffffffe}, {0x100000001, 0x1, 0x3, 0xffffffffffff0883, 0x444, 0x1}, {0x8fb1, 0x6, 0x8, 0x100000000, 0x6, 0x3}, {0x1, 0x2, 0x80, 0x0, 0x7, 0x7fff}, {0x0, 0xffff, 0x4, 0x78b, 0x80, 0x6}, {0x6, 0x1, 0xfffffffffffffffc, 0x3f, 0x1, 0x6}, {0x9, 0x445, 0x7, 0x9, 0x3, 0x200}, {0x6, 0xfffffffffffffff8, 0x1, 0xf5c4, 0x604, 0x2}, {0x40, 0x85, 0x4, 0x0, 0xfff, 0x7}, {0x1, 0x3ff, 0x9, 0x7, 0xff, 0x2}, {0x0, 0x5, 0x1, 0x6, 0xffffffffffffffe0, 0x6}, {0x9b, 0x7, 0x2ccab541, 0xb4cd, 0xed3, 0x1fec}, {0xffffffff00000000, 0xffffffffffffcaf9, 0x6, 0x7, 0x2, 0x80000001}, {0x1, 0xc7b1, 0x997, 0x2, 0x2, 0x6}, {0x72c, 0x0, 0xff, 0x6, 0x0, 0x100000000}, {0x9, 0x9, 0x3, 0x7f, 0x1, 0xffff}, {0x80000001, 0x20, 0x8001, 0x43, 0x5, 0xfffffffffffffff8}, {0x100000001, 0x0, 0x8, 0x30, 0x2d92, 0x2}, {0x9, 0x45c, 0x6, 0x9, 0x4a, 0x8}, {0x8000, 0x80000000, 0x8, 0x2, 0x6, 0x4}, {0x200, 0xff, 0x0, 0xf600000000, 0x80000000, 0x100}, {0x8, 0x76d, 0x3ff, 0x3, 0xc20, 0x63}, {0x1, 0x4, 0x200000, 0x800, 0x200, 0x5}, {0x5, 0x4, 0xa46, 0x9, 0x4, 0x5}, {0x6, 0x52f72aa2, 0x9dd0, 0x2, 0x1, 0x1}, {0x0, 0x1, 0x1, 0xaf9b, 0x0, 0x100}, {0x81, 0x401, 0x10001, 0x6, 0x6, 0x7}, {0x3, 0xfffffffffffffffe, 0x3, 0xd3, 0x5, 0x4000400000}, {0xffff, 0x4, 0x5, 0x3, 0x2, 0x4b}, {0x3f, 0x101, 0x9, 0x7, 0x1, 0x800000000000}, {0xc01a, 0xf547, 0x4, 0xfffffffffffff57d, 0x7, 0x5}, {0x8, 0x8, 0x3f, 0x1, 0xa7, 0x3}, {0x7ff, 0xffec, 0x6, 0x9, 0x5092, 0x6}, {0x100000000, 0x7, 0x3ff, 0x22971fe2, 0x1000}, {0x3, 0x4, 0x1, 0x5, 0x2, 0x135cc356}, {0xae, 0x0, 0xffff, 0x1, 0x8, 0x200}, {0xbd70, 0x9, 0xebbe, 0x2, 0x3, 0x81}, {0x28, 0x4, 0x410, 0x7, 0x7fff, 0xd76a}, {0x9, 0x7, 0x7fff, 0x4, 0x9, 0x1f}, {0x7f, 0x4, 0xfff, 0x7, 0x7fffffff, 0x7ff}, {0x8001, 0x1, 0x4, 0x101, 0x2158, 0x81}, {0x5, 0xffffffffffffffff, 0x6, 0x800, 0x6ff, 0x7fffffff}, {0xee, 0xffffffffffffffe0, 0x8, 0x8, 0x1f, 0x5}, {0x7f, 0x7, 0x5, 0x1ff, 0x56b, 0x6f89}, {0xffffffffffffffff, 0x9, 0x9, 0x7fff, 0x3, 0x71c9}, {0x7ff, 0x3, 0x5, 0x6, 0x1b}, {0x6, 0x8, 0x9, 0x401, 0x5e, 0x3}, {0x4, 0x7, 0xffffffffffffffff, 0xfffffffffffffffd, 0x1ff, 0x4}, {0x400, 0x3, 0xad, 0x400, 0x1, 0xfffffffffffffe01}, {0x204, 0x99, 0x4, 0x3ff, 0x5a6, 0x9a4}, {0x100000000, 0x9, 0x20, 0x5, 0xffffffffffffffff, 0x9}, {0xf53, 0x100, 0x8, 0x3, 0xffff, 0x8001}, {0x7ef2, 0x6, 0x6, 0x80000000, 0x100000001, 0x1f}, {0x2, 0x0, 0x0, 0x1ff, 0x8}, {0x2f, 0x9, 0x3, 0x8000, 0xffff, 0x6}, {0x40, 0x8, 0x1, 0x7, 0xc82}, {0x4, 0xc94, 0x100000001, 0xccb, 0x2, 0x3}, {0x5c2, 0x20b55ece, 0x40, 0x20, 0x4, 0x6}, {0x5, 0x80, 0x9, 0x100, 0x7, 0x80}, {0x2, 0x6, 0x7ff, 0x4, 0x6, 0x8}, {0x9433, 0x9, 0x6, 0xd5e, 0x5, 0x1}, {0x0, 0x2, 0x8001, 0x200, 0x3, 0x401}, {0x7f, 0x4, 0x5, 0x7f, 0x7, 0x6}, {0x2, 0x696, 0x1f, 0x5bc7, 0xfffffffffffffffa, 0x7f}, {0xffffffffffff73fe, 0x15, 0x100, 0x2, 0x7, 0x1}, {0x6, 0x200, 0x3, 0x0, 0x4, 0x4}, {0x5, 0x3bbc155a, 0x2, 0xca59, 0x3, 0x7}, {0x3, 0x80000001, 0xfff, 0x7, 0xffff, 0x7fff}, {0x5, 0x8, 0x9, 0x3, 0x3, 0x401}, {0x1, 0x8, 0x800, 0x3, 0x8, 0x2}, {0x0, 0x1, 0xffffffff, 0xff, 0x8, 0x8000}, {0x1, 0x9, 0x6, 0x8001, 0xafe, 0x1}, {0x21, 0x8, 0x100000000, 0x8001, 0xe3c, 0x3}, {0x100000000, 0x800, 0x76, 0x0, 0xff, 0x3312}, {0x1ff, 0x7, 0x7ff, 0x50000000, 0xfffffffffffffffb, 0xffffffffffffff7f}, {0x0, 0x2, 0x7fff, 0x0, 0x1f, 0x3ff}, {0x7, 0x6, 0x6, 0x10000, 0xdf, 0x10000}, {0x0, 0x10000, 0x1f, 0xb4e, 0x2}, {0x3ff, 0xc0, 0x6, 0x9, 0xcd, 0x3}, {0xd6, 0x2, 0x1114e671, 0x7, 0x9, 0xfffffffffffff549}, {0x4, 0x5, 0x101, 0xffff, 0x5d, 0xd2}, {0x400, 0x1f, 0xb4e4, 0x8, 0xffffffffffffffff, 0x2}, {0x9, 0x4, 0x6, 0x80000000, 0x4}, {0x9, 0xdedb, 0x0, 0x4db4, 0xfffffffffffffffd, 0x80000001}, {0x100000000, 0x1, 0x1, 0x0, 0x6, 0x721}, {0x5, 0x1, 0x6, 0x93f, 0x40, 0xffffffffffff8001}, {0x101, 0x4, 0x7, 0x80000000, 0x5, 0x9}, {0x3f, 0x22, 0x3f, 0xd59, 0x32, 0x2}, {0x9, 0x1, 0x7ff, 0x4, 0x8, 0x5}, {0x6, 0x3, 0x1, 0x4, 0x1, 0x81}, {0x6f9, 0x0, 0x7, 0xb8, 0x9}, {0x3, 0x9, 0x7, 0xe3, 0x24e, 0x1f}, {0x6, 0x1, 0x2a, 0x8001, 0x80000001, 0x7fc000000000000}, {0x3, 0x7a, 0x0, 0x9, 0x4, 0x7ff}, {0x1, 0x7, 0x0, 0x1, 0x0, 0xff}, {0x7, 0x7fff, 0x80000001, 0xfff, 0x70, 0x2}, {0x5, 0x3, 0x100, 0x4, 0x101, 0xde}, {0x352, 0x5, 0x1, 0x8001, 0x401, 0xfffffffffffffffe}, {0x7, 0xffff, 0x7, 0x8001, 0x2, 0x7}, {0xffffffffffffb466, 0x1ff, 0x1, 0x3ff, 0x7, 0x3}, {0x6, 0x7fffffff, 0x8001, 0x8, 0x80, 0xffff}, {0x3, 0x8, 0x8000, 0x0, 0x0, 0x200}, {0x6, 0xffffffffffff0000, 0x5, 0x4d, 0x1, 0x8}, {0x9, 0x0, 0x3ff, 0x1ff, 0x7, 0x5}, {0xb53, 0x80, 0x2, 0x3ff, 0xc8bc, 0x6}, {0x4b, 0x0, 0x4, 0x100, 0x9, 0x203}, {0x0, 0x3778, 0x6, 0x9, 0xf0, 0x3}, {0x8000, 0x1, 0x49, 0x101, 0x101, 0x2}, {0xff, 0x7, 0x8, 0x2000000, 0x8, 0x8}, {0x7, 0xe3, 0x101, 0x0, 0x2, 0xff}, {0x6, 0xfffffffffffff001, 0x80000000, 0x10000}, {0x73aa, 0x5fe, 0x614, 0x3, 0x1, 0x51419e53}, {0x2, 0x9, 0xffffffffffff326a, 0x1ff, 0x4, 0xaf3}, {0xfffffffffffffffc, 0x100000000, 0x8, 0x6141, 0x8, 0x9}, {0x3, 0x118c0000, 0x1581, 0x3ff00000, 0x1000, 0x3}, {0x7, 0x3ff, 0xb1, 0x9, 0x7f, 0x400}, {0xda7, 0x8, 0x1ff, 0x0, 0x7fffffff, 0x1f}], [{0x4, 0x1}, {0x3}, {0x2, 0x1}, {0x3, 0x1}, {}, {0x3, 0x1}, {0x7, 0x1}, {0x0, 0x1}, {0x5, 0x1}, {0x4}, {0x7, 0x1}, {0x3, 0x1}, {0x3, 0x1}, {0x3, 0x1}, {0x5, 0x1}, {0x5}, {0x1}, {0x3, 0x1}, {0x0, 0x1}, {}, {0x6}, {0x0, 0x1}, {0x7, 0x1}, {0x7, 0x1}, {0x5, 0x1}, {0x2, 0x1}, {0x5}, {0x5, 0x1}, {0x1}, {0x2, 0x1}, {0x5}, {0x5, 0x1}, {0x5}, {0x5, 0x1}, {0x1}, {0x1, 0x1}, {0x4}, {0x3, 0x1}, {0x3, 0x1}, {0x3}, {0x5}, {0x1, 0x1}, {0x7, 0x1}, {0x0, 0x1}, {0xa21268ec2cf7eeaf, 0x1}, {0x2, 0x1}, {0x6, 0x1}, {0x1}, {0x1}, {0x3, 0x1}, {0x2, 0x1}, {0x1}, {0x2}, {0x3, 0x1}, {0x2}, {0x5, 0x1}, {0x4}, {0x2, 0x1}, {0x5}, {0x7, 0x1}, {0x0, 0x1}, {0x0, 0x1}, {0x5}, {0x7, 0x1}, {}, {0x7}, {}, {0x1}, {}, {0x0, 0x1}, {0x1}, {0x7, 0x1}, {0x0, 0x1}, {0x7, 0x1}, {0x2}, {0x0, 0x1}, {0x0, 0x1}, {0x7, 0x1}, {0x0, 0x1}, {0x7, 0x1}, {}, {0x1, 0x1}, {0x5}, {0x3}, {0x3}, {0x4, 0x1}, {0x0, 0x1}, {0x4}, {0x1, 0x1}, {}, {0x1, 0x1}, {0x6, 0x1}, {0x7, 0x1}, {0x0, 0x1}, {0x4, 0x1}, {0x2, 0x1}, {0x3, 0x1}, {0x4}, {0x5, 0x1}, {}, {0x0, 0x1}, {0x5}, {0x2}, {}, {0x0, 0x1}, {0x3, 0x1}, {0x3}, {0x0, 0x1}, {0x0, 0x1}, {}, {0x3, 0x1}, {0x2, 0x1}, {0x5, 0x5847609ef64794f8}, {0x3}, {0x3}, {0x7}, {0x3, 0x1}, {0x5, 0x1}, {0x4, 0x1}, {0x7}, {0x3, 0x1}, {0x2}, {0x5, 0x1}, {0x0, 0x1}, {0x0, 0x1}, {0x5}, {0x0, 0x1}, {0x2}], 0x1}}, @TCA_PEDIT_PARMS_EX={0xe50, 0x4, {{{0x3, 0x3, 0xe7a1376bad9545e9, 0xfff, 0x1}, 0x8650, 0x1, [{0x1, 0x2, 0x3, 0xffff, 0x3b4, 0x3ff}, {0x1, 0xfffffffffffffc2f, 0x7fffffff, 0x5a9, 0x80000001, 0x8}]}, [{0x200, 0x0, 0x0, 0x6, 0x3, 0xe9d}, {0x3, 0x7, 0x4, 0x6, 0x6, 0x3}, {0x1ff, 0x1ff, 0x7fffffff, 0x0, 0x40, 0x9}, {0x2, 0x85d9, 0x9, 0x10000, 0x4e5e, 0x7ff}, {0x4, 0xde53, 0x3, 0x8, 0x5, 0xffffffff}, {0xffffffffffff0000, 0x100000001, 0x1f, 0x58, 0x8, 0x80000001}, {0x1, 0x6, 0xf9b, 0x7, 0x7ff, 0x1}, {0x1, 0x1, 0x7, 0x61, 0x6, 0x8}, {0x3, 0x81, 0x0, 0x101, 0x7, 0x9778}, {0x3ff, 0x7, 0x3, 0x7, 0x1, 0xaf4b}, {0x2, 0x7fffffff, 0xc1, 0xfffffffffffffffa, 0xfffffffffffffeff, 0xfffffffffffffff9}, {0x0, 0x8, 0x7, 0x3745, 0x4, 0x4}, {0x7375, 0xff, 0x8, 0x6, 0xb00a, 0x8}, {0xcf, 0xfd7, 0x3ff, 0x3, 0x8, 0x9}, {0x3f, 0x5, 0x2, 0x2d7, 0xb9c, 0x1}, {0x81, 0xde1, 0x20, 0x7fffffff, 0x1c46, 0x7}, {0xfffffffffffffeff, 0x0, 0x6, 0xb9f, 0x5, 0x1}, {0xe, 0x8, 0xffffffffffff9926, 0x8, 0x7fffffff, 0xfd4}, {0x7999, 0x401, 0x9, 0xffffffff, 0xdb, 0x5}, {0x3, 0x7, 0x1f9, 0x10000, 0xffffffffffffa35c, 0x1}, {0x530, 0x4, 0x1, 0xc6f9, 0x4}, {0x8, 0x6, 0x10000, 0xffff, 0x1000, 0x10000}, {0x4, 0xfffffffffffffff8, 0x7, 0x68800000000, 0x7, 0x9}, {0x0, 0x81, 0x0, 0x3, 0x40000000000000, 0x2}, {0x40, 0x101, 0x6, 0x5, 0x7, 0x100000000}, {0x5492c46c, 0xa37a, 0x8001, 0x5, 0x401}, {0xfff, 0x3f, 0x6, 0x4, 0x7, 0xfc9}, {0x33, 0x5, 0x5, 0xffffffff, 0x7}, {0x9, 0x40, 0xfffffffffffffffe, 0x5, 0x81, 0x72a43945}, {0x4, 0x2, 0x100, 0x9, 0xfffffffffffffff7, 0xffffffffffffe2a1}, {0x12a4, 0x62, 0x6b8c, 0x1, 0x4, 0xc9c}, {0x8, 0x2, 0x4, 0x5, 0x4, 0x4}, {0x401, 0x91bf, 0x80000000, 0xfffffffffffffffc, 0x3, 0x7fffffff}, {0x0, 0x7, 0x1800, 0xe586, 0x4, 0x8001}, {0x8, 0x200, 0x7, 0x9, 0x7ff}, {0x6, 0x2, 0x401, 0x3, 0x7, 0x4f908591}, {0x5, 0x3, 0x0, 0x8a38, 0x3f, 0xb3}, {0x6, 0xf6bf, 0x25, 0x40, 0x3, 0x2}, {0x90, 0xff, 0x6, 0x4, 0x7, 0x1f}, {0x6, 0x6, 0x0, 0x0, 0x0, 0x7}, {0x3, 0x0, 0xffffffffffffffff, 0x9d6, 0x83, 0x6}, {0x2, 0xf0, 0x8, 0x8, 0x3f, 0x8}, {0x8c, 0x375, 0x21, 0x1, 0x9, 0x1}, {0x7ec, 0x6, 0x1, 0xff, 0x91c8, 0x1ff}, {0xa70, 0xff, 0x5, 0x7fffffff, 0xffffffff, 0xfffffffffffffffb}, {0x1, 0x5, 0x1, 0xfffffffffffffffc, 0x6fd95575, 0x9}, {0x0, 0x5f6, 0xd0, 0x6, 0x8, 0x1200}, {0x7, 0x2, 0x100, 0x1, 0x39, 0x2}, {0x1f, 0x8a2, 0x2, 0x3ff, 0x1f, 0xffffffff00000000}, {0x80000001, 0x1eb244f1, 0xd1f6, 0x2, 0x81, 0x9}, {0x4, 0x1f7, 0x63, 0x40, 0x1, 0x6}, {0xfffffffffffffffb, 0x3, 0x4, 0x5b3, 0xffffffffffffffff}, {0x5, 0x2887b893, 0xff, 0x4007, 0x9, 0x6}, {0x400, 0x1, 0xff, 0x6, 0x15, 0x40}, {0x1b, 0x6, 0x80000001, 0x2b0, 0x0, 0xa307}, {0x7, 0xfffffffffffffff9, 0x8, 0x5, 0x7fff, 0x1ff}, {0x0, 0xbefe000000000000, 0x2, 0x6, 0x1, 0x1}, {0x8001, 0x1, 0xffffffff80000001, 0x80, 0x1, 0x9}, {0x100, 0x0, 0x80, 0x7fff, 0x3, 0xa04}, {0xa9, 0x3, 0x10000, 0x4eb, 0x0, 0xffffffff}, {0x2, 0x5, 0xffff, 0xffffffffffff0000, 0x100, 0x6}, {0x6, 0x6, 0x2, 0xfffffffffffffe01, 0x401, 0x100000001}, {0x3, 0x8, 0x1, 0x3ff, 0x5, 0x7}, {0x401, 0x9e13, 0x1ff, 0x5, 0x80, 0x6}, {0xffffffffffffff7f, 0x2, 0x52b, 0x8, 0x400, 0x1251}, {0xbfee, 0x3ff, 0x2, 0x3406b7dc00, 0x3b, 0x8}, {0xff, 0x2, 0x3, 0x3ff, 0x8001, 0xffffffff}, {0xfffffffffffffffe, 0x3, 0x7fff, 0x8, 0xffffffff, 0x6}, {0x7, 0x7ff, 0x7, 0xfffffffeffffffff, 0x4, 0x1}, {0x10000, 0x1f, 0x7, 0x401, 0xe12, 0x1}, {0x4, 0x8, 0x0, 0x669f, 0x4, 0xca}, {0x8, 0x5, 0x1, 0x241, 0x101, 0xfffffffffffffffe}, {0x55, 0x5, 0xffffffffffffffe0, 0xd5, 0x100000001}, {0x2de, 0xd75, 0x4, 0x8e, 0x10000, 0xffffe00000000000}, {0x40, 0x1, 0x2, 0x9, 0xffffffffd0b1cd55, 0x80}, {0x0, 0x10000, 0x5e5, 0x5, 0x7, 0xce}, {0x61, 0xc7, 0x400, 0x6, 0x8, 0x483}, {0xfffffffffffffffe, 0xfffffffffffffffe, 0x5, 0xd3, 0x4, 0x9}, {0x5, 0x8, 0x2, 0x0, 0xffffffff, 0x380000000000000}, {0x1c000000000000, 0x3, 0xe0b9, 0x1, 0xc7a6, 0xc55}, {0x80000001, 0x8, 0x0, 0x20000000000000, 0x774, 0x1}, {0x1, 0x8, 0xffffffffffffff00, 0xc96, 0x2, 0x551d}, {0x6, 0x0, 0xc5a9, 0x7c29, 0x8, 0x4}, {0x4, 0xff, 0x3, 0x400, 0x1000}, {0x790bb396, 0x5, 0x2, 0x3, 0x0, 0x7}, {0x0, 0xc3, 0x4, 0x1000, 0x60, 0x1}, {0x100000001, 0x7ff, 0x3f, 0x101, 0x7f, 0x1}, {0x41, 0x8000, 0x6, 0x716f, 0x9, 0x98ed}, {0x8, 0x5, 0x8, 0x6, 0xffffffff, 0x2}, {0x0, 0x9, 0xa4e, 0x2, 0x101, 0x1}, {0x4, 0x9d1, 0x1, 0x1, 0x1d3, 0x81fd}, {0x7, 0x2, 0x1, 0xfffffffffffffc01, 0x400, 0x13}, {0x0, 0x3, 0x8, 0x7, 0x1, 0x3}, {0x6, 0x1, 0x5, 0x1, 0x9d1b, 0x3f}, {0x3, 0xfffffffffffffff8, 0x37, 0x2, 0x9, 0x4}, {0xffffffffffffffb2, 0x6, 0x100000000, 0x8000, 0x2}, {0xfffffffffffffff9, 0x100000001, 0x81, 0x67, 0x7fff, 0x3}, {0x80000000, 0x4, 0x1f, 0x553, 0x7, 0xed}, {0x1, 0x4, 0x1000, 0x100, 0x3ec4}, {0x5, 0xffffffff00000001, 0x8001, 0x4, 0x4, 0x3}, {0xed35, 0x400, 0x6, 0x5, 0x800, 0x80}, {0x1, 0x0, 0x66c, 0x0, 0x9, 0x80000000}, {0x7, 0x8, 0x8, 0x9, 0x4}, {0x5, 0x4, 0x5, 0x401, 0xffffffff00000001, 0x5}, {0x9, 0x80000000000000, 0x40, 0x6, 0x9, 0x7ff}, {0x135, 0x40, 0x2a50, 0x6, 0x1ff, 0x81}, {0x8, 0x4, 0x8, 0x6, 0x7, 0x10001}, {0x7, 0x100, 0x401, 0x8c37, 0x1}, {0x6, 0x7, 0x6, 0xb7, 0x1000, 0x5}, {0x3, 0xffff, 0x100, 0x3, 0xffffffff}, {0x1b2a3ba, 0x8, 0x2, 0x4, 0x8, 0x8}, {0x0, 0x5, 0x7fffffff, 0x1ff, 0x80000001, 0x1}, {0xffffffff, 0x95, 0x52c, 0x9, 0x5, 0x400}, {0x1, 0x400, 0x3, 0xfffffffffffffc01, 0x1, 0x2}, {0xfffffffffffffffe, 0xf4, 0x0, 0x6, 0x1, 0x7}, {0x510, 0xff, 0xd50, 0x101, 0x4, 0xc053}, {0x7, 0x3, 0x400, 0x8000, 0x10000, 0x5}, {0x7f, 0x1, 0x3, 0x83f1, 0xf0c0, 0x6}, {0x6, 0xd002, 0x80000000, 0x1f, 0x6, 0x4}, {0xffffffffffff1405, 0xffffffffffff9661, 0x6, 0xfffffffffffffffa, 0x0, 0x401}, {0x5, 0x7, 0x1, 0x4, 0x9, 0xfffffffffffffffc}, {0x6, 0x95, 0x0, 0x3ff, 0x2, 0x2}, {0x20, 0x7, 0x7fffffff, 0x4, 0x8, 0x5}, {0x4, 0x81, 0x1, 0x3449, 0x7, 0x3f}, {0x3f, 0x5, 0x81, 0x5, 0x5, 0xffffffffffff82c3}, {0x27, 0x2, 0x9770, 0x7ff, 0x8, 0x7fffffff}, {0x4, 0x7fec, 0x80000000, 0x5, 0x7, 0x4}, {0x0, 0x4, 0x100000001, 0xfffffffffffffffc, 0x3, 0xfffffffffffffeff}], [{0x0, 0x1}, {0x5, 0x1}, {0x0, 0x1}, {0x2, 0x1}, {0x1}, {0x5}, {0x5}, {0x1, 0x1}, {0x5}, {0x5, 0x1}, {0x4}, {0x0, 0x1}, {}, {0x7}, {0x2, 0x1}, {0x1}, {0x5, 0x1}, {0x2}, {0x5, 0x1}, {0x2, 0x1}, {0x1}, {0x1, 0x1}, {0x4, 0x1}, {0x3}, {0x7, 0x1}, {0x4, 0x1}, {0x5, 0x1}, {0x3}, {0x0, 0x1}, {0x7}, {0x0, 0x1}, {0x7, 0x1}, {0x7, 0x1}, {0x1}, {0x5, 0x1}, {0xd9d2f6da9b3c7d81}, {0x5, 0x1}, {0x7, 0x1}, {0x0, 0x1}, {0x7, 0x1}, {0x3, 0x1}, {0x6, 0x1}, {0x3, 0x1}, {0x3, 0x1}, {0x5, 0x1}, {0x0, 0x1}, {0x4, 0x1}, {0x1, 0x1}, {0x93b8057565b58ad3, 0x1}, {0x1, 0x1}, {0x4, 0x1}, {0x1, 0x1}, {0x2}, {0x1}, {0x3}, {0x4, 0x1}, {0x3, 0x1}, {0x0, 0x1}, {0x0, 0x1}, {0x3, 0x1}, {0x2, 0x1}, {0x3}, {0x2, 0x1}, {0x5, 0x1}, {0x5, 0x1}, {0x0, 0x1}, {0x5}, {0x7}, {0x7}, {0x3}, {0x7}, {0x1}, {0x1}, {0x0, 0x1}, {0x7, 0x1}, {0x3}, {0x7, 0x1}, {0x0, 0x1}, {0x7, 0x1}, {0x3, 0x1}, {0x3, 0x1}, {0x3}, {0x7, 0x1}, {0x5, 0x1}, {0xfab22cf4e3451b45}, {0x5, 0x1}, {0x3}, {0x7, 0x1}, {0x0, 0x1}, {0x2}, {0x3, 0x1}, {0x5}, {0x2, 0x1}, {0x3, 0x1}, {0x4, 0x1}, {0x5, 0x1}, {0x5}, {}, {0x7}, {0x5, 0x1}, {0x7}, {0x1}, {0x3, 0x1}, {0x7, 0x1}, {0x7}, {0x3}, {0x7, 0x1}, {0x4}, {}, {0x5, 0x1}, {0x7, 0x1}, {0x5}, {}, {0x0, 0x1}, {0x5}, {0x7, 0x1}, {0x1, 0x1}, {0x7, 0x1}, {0x7}, {0x4}, {0x1, 0x1}, {0x3}, {0x4, 0x1}, {0x5}, {0x5, 0x1}, {0x1}, {0x3, 0x1}, {0x2, 0x1}], 0x1}}, @TCA_PEDIT_PARMS={0xe68, 0x2, {{{0x8, 0x800, 0x0, 0x5, 0x9}, 0x9, 0x40, [{0x7, 0x7fffffff, 0x8000, 0x3, 0x3f, 0x8}, {0x40, 0x8, 0x7, 0xffcc, 0x5bc0, 0x7}, {0x5, 0xb85, 0x10001, 0xd3e7, 0x2, 0x8}]}, [{0x8, 0xa5e1, 0x1000, 0x2, 0x62, 0x1e33}, {0x9, 0x2, 0x1, 0x81, 0x7f, 0xffff}, {0x7fffffff, 0x0, 0x4, 0xffffffffffffe93e, 0x3, 0x5}, {0x1, 0x7, 0x4, 0xb4, 0x2b, 0x9}, {0x5, 0x80000000, 0x2, 0x0, 0xffffffffffffff4e, 0x139}, {0x24f7, 0x40, 0x7fff, 0x1, 0x80, 0x4000000000}, {0x6, 0xda4, 0x2, 0x400, 0x9, 0xfe46}, {0xffff, 0xfff, 0x1, 0x5, 0x3ff, 0x2}, {0x1, 0x959c, 0x9, 0x1, 0x200, 0x9}, {0x9, 0x6824, 0x1, 0x7fffffff, 0x3, 0x2}, {0x0, 0xfffffffffffffffd, 0x2, 0x3, 0xfff, 0x62f}, {0x100000001, 0x100, 0x10001, 0xffffffffffff0001, 0x8, 0x205}, {0x5492, 0x2, 0x0, 0x6, 0x4, 0x8}, {0xffffffffffffffff, 0x9, 0x81, 0x8, 0x4, 0x7}, {0x9, 0x1, 0x8, 0x7ff, 0x7, 0x5b7}, {0x3ff, 0x7fffffff, 0x0, 0x10001, 0x10000, 0x6}, {0x1, 0x6, 0xffffffff, 0x2, 0x4, 0xa9}, {0x10001, 0x0, 0x3, 0x97f, 0xe042, 0x4}, {0xda, 0x1, 0x1f, 0x1000, 0x6, 0xfffffffffffffffd}, {0x9, 0x6, 0x5, 0x6, 0x7f, 0x7218}, {0x3, 0x100000000, 0x8, 0x2, 0x7, 0x8}, {0x9, 0x1000, 0x6, 0x8000, 0x5, 0x40}, {0x9, 0x7, 0x800, 0xff, 0x4}, {0xf9a, 0x291d8486, 0x5, 0x3000000000000000, 0x100000000, 0x1ff}, {0x3, 0x2, 0xc981, 0x80000001, 0x8, 0x7ff}, {0xfffffffffffffff9, 0x401, 0x31c1, 0x6, 0x2, 0x5}, {0x100, 0x100000000, 0x9, 0x9, 0x6, 0x7f}, {0x10000, 0xad, 0x40, 0x4, 0x2, 0x6}, {0x0, 0x6, 0x5, 0x0, 0x6, 0x3}, {0x100000000, 0x100000001, 0x7, 0x1000, 0x3, 0xffffffffffffff80}, {0x9, 0x2, 0x100000000, 0xac4, 0x1}, {0x1, 0x0, 0x3, 0x6, 0x1f, 0x62a6}, {0x8, 0x80, 0x7fffffff, 0x4, 0x2, 0x4}, {0x3, 0x0, 0x8, 0x6, 0x1000, 0x3}, {0x2, 0x7, 0x100, 0x3, 0x76, 0x371}, {0x5, 0x6, 0x44e, 0x1000, 0x9, 0x4}, {0x81, 0x9, 0x1000, 0x2, 0x4, 0x43e}, {0x5, 0x100, 0x4, 0x40, 0x8, 0xfff}, {0x1f, 0x1, 0xfffffffffffffffb, 0x10000, 0x42, 0x1000}, {0xb8f8, 0x6, 0xee7, 0x80000000}, {0x2, 0x3, 0x143, 0xfff, 0x1872e6e7, 0x6}, {0xfffffffffffff7b1, 0x5, 0x2, 0x7de, 0x8, 0x8}, {0x2, 0x5, 0x0, 0x7, 0x9, 0x7ff}, {0x80, 0x7d927c1b, 0xffff, 0x400, 0x9, 0x2}, {0xb7, 0x80, 0x8001, 0x10000, 0x8, 0xc88a}, {0x6, 0x20, 0x6, 0x8, 0x401, 0x1}, {0x3460, 0x4, 0x101, 0x20, 0x4, 0xfffffffffffffffe}, {0x80000001, 0x7ff, 0x2, 0x6, 0x80}, {0x5, 0x1000, 0x2, 0x4, 0x20, 0x9}, {0xfff, 0x101, 0x9, 0x3, 0x1, 0xe547}, {0xfffffffffffffff7, 0x13, 0x1, 0x2, 0x8, 0x8}, {0x9, 0xffffffff80000001, 0x5e, 0x2, 0x5, 0x3}, {0x7, 0x3, 0x9, 0x4, 0xa641, 0x7}, {0x7, 0x400, 0xff, 0x4, 0xfffffffffffeffff, 0x4}, {0x6, 0x4000, 0x0, 0x3, 0x8, 0x5800}, {0x6, 0x80000001, 0x3, 0x80, 0x5, 0x1}, {0x0, 0x4, 0x8, 0x4, 0x3, 0x8000}, {0x4277, 0x0, 0xfffffffffffffffc, 0x400, 0x3f, 0x7}, {0x6, 0x6, 0x5, 0x4, 0x1f, 0x6}, {0x58f, 0x7, 0x5, 0x8, 0x8001, 0x7ff}, {0x4, 0x100, 0x0, 0xab9f, 0x8, 0x401}, {0x3, 0x8, 0xfff, 0x401, 0x1f, 0x9}, {0x1f, 0x10001, 0x2, 0x0, 0x1, 0x4}, {0x5, 0xf0, 0x81, 0x101, 0x1, 0x2}, {0x0, 0x9, 0x8, 0x200, 0x7ff, 0x40}, {0x5, 0xffff, 0x7, 0x200, 0x1, 0x8}, {0x100000001, 0x5, 0x6, 0x80000001, 0x7, 0x9}, {0x4, 0x7, 0x6, 0x2791, 0x77ba, 0x6}, {0x4, 0xd86b0000, 0x100000000, 0x3f, 0x0, 0x6}, {0x9, 0x7, 0x3, 0x7ff, 0x7f, 0x3}, {0xaaa, 0x9, 0x80000000, 0x4, 0x8, 0x8001}, {0xff, 0x1, 0x10000, 0xfffffffffffff800, 0x5, 0x5}, {0x1000, 0x5, 0x7, 0x2, 0xf5, 0xfb}, {0x80, 0x5, 0x2, 0x1, 0x7, 0x4}, {0x3, 0xfffffffffffff0dd, 0x100000000, 0x101, 0x100000001, 0x80000000}, {0x7ff0000, 0x4906, 0x8, 0xfffffffffffffffc, 0x401, 0x5}, {0x1, 0x0, 0x9, 0x7fff, 0x6, 0x100}, {0x8000, 0x53, 0x8, 0x9, 0x0, 0x8}, {0x5, 0x6, 0x8, 0x5, 0x3f, 0x316}, {0x7, 0x8, 0x80000001, 0xe829, 0x80, 0x1}, {0x80000000, 0x4, 0x7, 0x3, 0x8}, {0x5, 0x200, 0x6, 0xfffffffffffffffe, 0x4, 0x60e5}, {0x0, 0x1, 0xe1, 0x3, 0x2860000000, 0x622f}, {0x20, 0x6a83c7dd, 0x311, 0x5, 0x9, 0x7}, {0x2b59, 0x80, 0x0, 0x4, 0x2, 0x8}, {0x0, 0x7af, 0x2, 0x6, 0xffffffffffffff00, 0x39d3}, {0x3ff, 0x0, 0x7d9f2d01, 0x1, 0x7, 0xe45}, {0x8, 0x57, 0x100, 0x2, 0x3, 0xffffffff}, {0x2, 0x0, 0x1ff, 0x1, 0xc6, 0xc210}, {0x4, 0x9, 0x2, 0x4, 0x2, 0x5}, {0x8, 0x100, 0x9, 0x9, 0x5, 0xd66}, {0x2, 0x1, 0x5, 0xffffffff, 0x80, 0x1}, {0x2, 0x200, 0xbe4, 0x5, 0x4, 0x5}, {0x0, 0x7, 0x8, 0x1, 0x6, 0xffffffffffffff01}, {0x8, 0x24, 0x5000, 0x88, 0x100000000, 0xf4d}, {0x7f, 0x7fff, 0x4, 0x2, 0x1, 0x3ff}, {0x1, 0x80000001, 0xfff, 0x0, 0x5, 0x3}, {0x1f, 0x7f, 0x3, 0x473a62dc, 0x3, 0x5}, {0x0, 0x0, 0x1, 0x25a, 0x2, 0xfffffffffffffffe}, {0x9a9, 0xe58, 0xfffffffffffffff7, 0x20, 0xffffffffffffff00, 0x7fff}, {0x7fffffff, 0x0, 0x0, 0x7, 0x7ff, 0x3ff}, {0x11, 0x81, 0x67d1, 0x9, 0x0, 0x5}, {0x80, 0x6, 0x8, 0x0, 0x100, 0x7}, {0x6, 0x9ee, 0x1acf, 0xa6, 0x3, 0x1ff}, {0x2, 0x0, 0x52d8, 0x2, 0xfff, 0x5}, {0x2856, 0x6a7, 0x0, 0x80, 0x0, 0x9}, {0x168, 0x6, 0x8, 0xec, 0x7fff, 0x7fff}, {0x1, 0x8, 0x40, 0x5, 0x2488, 0x7c780000000}, {0x6, 0x7fffffff, 0x3, 0xdf9, 0x5, 0x6}, {0x100000001, 0x1, 0xffffffff00000001, 0x4, 0x6, 0x9}, {0x40, 0x5, 0x9, 0x10001, 0xd7a7, 0x10000}, {0x5, 0x6, 0x3f, 0xfffffffffffffffe, 0x8, 0x6df}, {0xffff, 0x3, 0x6, 0x6, 0x7, 0x6}, {0x9, 0xbb, 0x7ff, 0x8b, 0x101, 0x9}, {0xc44, 0x5, 0x5, 0x401, 0xdfa, 0xffffffffffffe581}, {0x5, 0x7ff, 0x1f, 0xffffffffffffff7f, 0x400, 0x100}, {0x100, 0x123, 0x9, 0xe979, 0x10001, 0x3}, {0x2, 0x1, 0x9e, 0x8000000000000, 0x3, 0x8}, {0x3f, 0x3, 0x3, 0x100000001, 0x3fe8000, 0xfffffffffffffffa}, {0xffffffffffff0001, 0x8000, 0x400}, {0x400000000000000, 0x9, 0xb74, 0x20, 0x1ff, 0x9}, {0x7fffffff, 0x1, 0xff, 0x3, 0x5, 0xff0}, {0x20, 0xfff, 0x3, 0x2, 0x3f, 0x6}, {0x3, 0x7, 0x1, 0x6, 0xfffffffffffffffa, 0x6}, {0x0, 0x7, 0x1, 0x9, 0x10001, 0xff}, {0x100000000, 0x8, 0x3, 0x7, 0x0, 0x4245}, {0xfffffffffffffffc, 0x81, 0x2, 0xffffffff, 0x8, 0x3ff}, {0x8, 0x2, 0x8, 0x1, 0xeb1}], [{0x0, 0x1}, {0x3, 0x1}, {0x3, 0x1}, {0x2}, {0x0, 0x1}, {0x1, 0x1}, {0x7}, {0x5}, {0x7, 0x1}, {0x3, 0x1}, {0x2, 0x1}, {}, {0x7, 0x1}, {0x5, 0x1}, {0x7}, {0x5, 0x1}, {0x3, 0x1}, {}, {0x3}, {}, {0x2, 0x1}, {0x1}, {0x5}, {0x1, 0x1}, {0x3, 0x1}, {0x5, 0x1}, {}, {0x0, 0x1}, {}, {}, {0x4}, {0x7}, {0x2, 0x1}, {}, {0x7, 0x1}, {0x0, 0x1}, {0x7}, {0x1, 0x1}, {0x5}, {0x5, 0x1}, {0x2, 0x1}, {0x4, 0x1}, {0x7}, {0x7, 0x1}, {0x7}, {0x5}, {0x1}, {0x5}, {0x4, 0x1}, {0x4}, {0x3, 0x1}, {0x7, 0x1}, {0x5, 0x1}, {0x5fb8a10e267d243d}, {0x1, 0x1}, {0x7, 0x1}, {0x1}, {0x5, 0x1}, {0x4}, {}, {0x7}, {0x1}, {0x2, 0x1}, {0x1, 0x1}, {0x4, 0x1}, {0x5, 0x1}, {0x3, 0x1}, {0x3, 0x1}, {0x7, 0x1}, {0x0, 0x1}, {}, {0x3, 0x1}, {0x5, 0x1}, {}, {0x7, 0x1}, {0x7, 0x1}, {0x5}, {0x4}, {0x4}, {0x4}, {0x1, 0x1}, {0x4}, {0x2}, {0x6}, {0x0, 0x1}, {0x3, 0x1}, {0x5}, {}, {0x2, 0x1}, {0x0, 0x1}, {0x4, 0x1}, {0x5, 0x1}, {}, {0x2, 0x1}, {0x2}, {0x7, 0x1}, {}, {0x1, 0x1}, {0x4, 0x1}, {0x7, 0x1}, {0x1, 0x1}, {0x5}, {0x3}, {0x7, 0x1}, {0x0, 0x1}, {0x0, 0x1}, {0x3}, {0x3}, {0x2, 0x1}, {0x3}, {0x6}, {0x1}, {0x3, 0x1}, {0x3}, {0x4}, {0x6}, {0x1, 0x1}, {0x7}, {0x4}, {0x1, 0x1}, {}, {0x7, 0x1}, {0x3, 0x1}, {0x3}, {0x4}, {0x4}, {}, {0x5}], 0x1}}]}, {0x1c, 0x6, "8281ca560f4fbb1743dfeb9939104305ce9719cd5e653c45"}}}}]}, 0x4220}, 0x1, 0x0, 0x0, 0x84}, 0x8000) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000580)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="0000000000000000221313915087a5b2c9e47d51bd4139fa6c1c62201bc36a0bdc28328e174511719d0f06445082de7d8d27a849fd1d1b40a6e6003d2feb5f0f04199023e4f2884a9850c480bc223869f790a6f29f7fc4ad81d8e47f25735c187f89989db3e8577b715cf18f69094c2111ea4db936431f972050d368cd7dc11f0b58bbe223f5d03828dc81ca8eb9accaeb3138b866aff2274def8dc842366c019c29c5686a96a4b08dd8165e4cdf33e6a0d9fc91f7a4cbff2d8391f13c2a8975f80a3b5688000000000000"], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:52:00 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x500, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 974.663560][T24281] binder: 24260:24281 ioctl 40046207 0 returned -16 [ 974.671687][T24285] binder: 24260:24285 ioctl c0306201 0 returned -14 [ 974.684511][T24284] binder: 24283:24284 ioctl c018620b 0 returned -14 [ 974.684593][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 974.721569][T31463] binder: release 24260:24285 transaction 3003 out, still active [ 974.741899][T24289] binder: 24287:24289 ioctl c018620b 0 returned -14 [ 974.759552][T24291] binder: 24290:24291 ioctl c018620b 0 returned -14 [ 974.766859][T24289] binder: 24289 RLIMIT_NICE not set [ 974.818400][T24294] binder: BINDER_SET_CONTEXT_MGR already set [ 974.824698][T24294] binder: 24290:24294 ioctl 40046207 0 returned -16 [ 974.832187][T24294] binder: 24290:24294 ioctl c0306201 0 returned -14 [ 975.373777][T31463] binder: release 24275:24282 transaction 3000 out, still active [ 975.386885][T31463] binder: send failed reply for transaction 3000, target dead [ 975.388776][T24289] binder: 24287:24289 ioctl c018620b 0 returned -14 [ 975.399303][T31463] binder: send failed reply for transaction 3003, target dead [ 975.406220][T24293] binder: 24293 RLIMIT_NICE not set [ 975.414809][T24289] binder: 24287:24289 transaction failed 29189/-22, size 24-8 line 2994 [ 975.423558][T31463] binder: send failed reply for transaction 3006 to 24283:24288 [ 975.427732][T24293] binder_thread_write: 4 callbacks suppressed [ 975.427743][T24293] binder: 24287:24293 BC_INCREFS_DONE u0000000000000000 no match [ 975.432308][T31463] binder: send failed reply for transaction 3009 to 24287:24293 [ 975.450822][T24288] binder: 24283:24288 ioctl c018620b 0 returned -14 [ 975.457896][T31463] binder: send failed reply for transaction 3012 to 24290:24294 [ 975.472989][T24288] binder: 24283:24288 BC_ACQUIRE_DONE u0000000000000000 no match [ 975.473274][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 975.494436][T24298] binder: 24283:24298 transaction failed 29189/-22, size 24-8 line 2994 [ 975.503710][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 975.552398][T24300] binder_alloc: binder_alloc_mmap_handler: 24290 20001000-20004000 already mapped failed -16 [ 975.563071][T24294] binder: 24290:24294 ioctl c018620b 0 returned -14 [ 975.570736][T24301] binder_alloc: 24290: binder_alloc_buf, no vma [ 975.577226][T24301] binder: 24290:24301 transaction failed 29189/-3, size 24-8 line 3147 [ 975.585721][T24294] binder: 24290:24294 BC_INCREFS_DONE u0000000000000000 no match [ 975.585748][T24300] binder: 24290:24300 ioctl c0306201 0 returned -14 [ 975.600626][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 975.913459][ C1] net_ratelimit: 20 callbacks suppressed [ 975.919152][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 975.924923][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 975.930704][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 975.936454][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 975.942241][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 975.948010][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:52:02 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x0, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:02 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(0xffffffffffffffff, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:52:02 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) readv(r0, &(0x7f0000000340)=[{&(0x7f0000000240)=""/68, 0x44}], 0x1) 07:52:02 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r0 = creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="be4a1797"], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) getsockopt$TIPC_SOCK_RECVQ_DEPTH(r0, 0x10f, 0x84, &(0x7f00000001c0), &(0x7f0000000380)=0x4) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') r2 = syz_open_dev$midi(&(0x7f0000000040)='/dev/midi#\x00', 0x3ff, 0x101000) ioctl$VIDIOC_SUBDEV_S_EDID(r2, 0xc0245629, &(0x7f0000000180)={0x0, 0x123, 0xbe, [], &(0x7f0000000100)=0x15fa1cf7}) 07:52:02 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40406300}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x600, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 976.341029][T24307] binder: 24306:24307 ioctl c018620b 0 returned -14 [ 976.351400][T24305] binder: 24303:24305 ioctl c018620b 0 returned -14 [ 976.353008][T24312] binder: 24312 RLIMIT_NICE not set [ 976.362426][T24307] binder: 24306:24307 unknown command -1760081218 [ 976.366167][T24309] binder: 24308:24309 ioctl c018620b 0 returned -14 [ 976.372960][T24307] binder: 24306:24307 ioctl c0306201 20000140 returned -22 [ 976.377631][T24309] binder: 24308:24309 transaction failed 29189/-22, size 0-0 line 2994 [ 976.389705][T24307] binder: 24306:24307 transaction failed 29189/-22, size 24-8 line 2994 [ 976.396335][T24309] binder: 24308:24309 BC_INCREFS_DONE u0000000000000000 no match [ 976.403337][T24307] binder: 24306:24307 BC_INCREFS_DONE u0000000000000000 no match [ 976.411156][T24317] binder: 24308:24317 ioctl c018620b 0 returned -14 [ 976.421372][T24318] binder: BINDER_SET_CONTEXT_MGR already set [ 976.429266][T24318] binder: 24303:24318 ioctl 40046207 0 returned -16 07:52:02 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40406301}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 976.431186][T12061] binder: release 24308:24309 transaction 3022 out, still active [ 976.436937][T24318] binder: 24303:24318 ioctl c0306201 0 returned -14 [ 976.456114][T24323] binder: 24306:24323 ioctl c018620b 0 returned -14 [ 976.462994][T12061] binder: undelivered TRANSACTION_COMPLETE 07:52:02 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r0 = creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) mmap$binder(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x2, 0x4812, r0, 0x0) r2 = mmap$binder(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x1000000, 0x50, r0, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x14, 0x0, &(0x7f0000000380)=[@increfs_done={0x40106308, r2, 0x8}], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) r3 = getpid() ptrace$setregs(0xd, r3, 0x6440ccd6, &(0x7f00000000c0)="2b9f2c8702a2297ac67e25349d8340a167150c1aabbfcbb0fe4594e046728f2f0ac4d164d522e147342ae715b6a3d9e3c41c965bfee884d8e765bbad51fe9a4c55547cc43a366db7") ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 976.489330][T12061] binder: release 24308:24319 transaction 3023 out, still active [ 976.508934][T24326] binder: 24325:24326 ioctl c018620b 0 returned -14 [ 976.511106][T12061] binder: release 24306:24322 transaction 3032 out, still active [ 976.520204][T24328] binder: 24327:24328 ioctl c018620b 0 returned -14 [ 976.527589][T24326] binder: 24325:24326 got reply transaction with no transaction stack [ 976.537136][T24328] binder: 24327:24328 BC_INCREFS_DONE u0000000000000000 no match [ 976.538786][T24326] binder: 24325:24326 transaction failed 29201/-71, size 0-0 line 2899 [ 976.557331][T24326] binder: 24325:24326 BC_INCREFS_DONE u0000000000000000 no match [ 976.567073][T24329] binder: 24325:24329 ioctl c018620b 0 returned -14 [ 976.574075][T24326] binder: 24325:24326 got reply transaction with no transaction stack 07:52:02 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40486311}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 976.628895][T31463] binder: undelivered TRANSACTION_ERROR: 29201 [ 976.635260][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 976.635305][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 976.635371][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 976.635405][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 976.668482][T31463] binder: release 24325:24329 transaction 3037 out, still active [ 976.690330][T24333] binder: 24332:24333 ioctl c018620b 0 returned -14 07:52:02 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) [ 977.131097][T24318] binder_alloc: binder_alloc_mmap_handler: 24303 20001000-20004000 already mapped failed -16 [ 977.141604][T24318] binder: 24303:24318 ioctl c018620b 0 returned -14 [ 977.148874][T24339] binder: BINDER_SET_CONTEXT_MGR already set [ 977.155131][T24339] binder: 24303:24339 ioctl 40046207 0 returned -16 [ 977.156048][T31463] binder: release 24311:24316 transaction 3024 out, still active [ 977.162067][T24340] binder: 24303:24340 ioctl c0306201 0 returned -14 07:52:02 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x700, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 977.187175][T31463] binder: send failed reply for transaction 3022, target dead [ 977.206832][T31463] binder: send failed reply for transaction 3024, target dead [ 977.220424][T31463] binder: send failed reply for transaction 3023, target dead [ 977.242331][T24344] binder: 24344 RLIMIT_NICE not set [ 977.247240][T31463] binder: send failed reply for transaction 3029 to 24303:24318 [ 977.253695][T24346] binder: 24345:24346 ioctl c018620b 0 returned -14 [ 977.262125][T31463] binder: send failed reply for transaction 3032, target dead [ 977.271679][T31463] binder: send failed reply for transaction 3037, target dead [ 977.281340][T31463] binder: send failed reply for transaction 3040 to 24327:24330 [ 977.291181][T31463] binder: send failed reply for transaction 3043 to 24332:24333 [ 977.300997][T31463] binder: send failed reply for transaction 3044 to 24332:24334 [ 977.302708][T24333] binder: 24332:24333 ioctl c018620b 0 returned -14 [ 977.311505][T31463] binder: send failed reply for transaction 3047 to 24303:24340 [ 977.320058][T24330] binder: 24327:24330 ioctl c018620b 0 returned -14 [ 977.323482][T24348] binder: BINDER_SET_CONTEXT_MGR already set 07:52:03 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper={0x40486312}], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 977.341942][T31463] binder: release 24332:24333 transaction 3054 out, still active [ 977.342596][T24330] binder: 24327:24330 BC_INCREFS_DONE u0000000000000000 no match [ 977.351881][T24348] binder: 24345:24348 ioctl 40046207 0 returned -16 [ 977.370749][T31463] binder: undelivered TRANSACTION_COMPLETE [ 977.377692][T31463] binder: release 24332:24349 transaction 3055 out, still active [ 977.394057][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 977.400441][T31463] binder: release 24327:24351 transaction 3058 out, still active [ 977.401511][T24355] binder: 24354:24355 ioctl c018620b 0 returned -14 [ 977.413217][T31463] binder: undelivered TRANSACTION_COMPLETE [ 977.420876][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 977.432648][T24348] binder: 24345:24348 ioctl c0306201 0 returned -14 [ 977.440063][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 977.451856][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 977.461580][T24357] binder: 24354:24357 got reply transaction with no transaction stack [ 977.469377][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 978.031014][T31463] binder: release 24343:24347 transaction 3051 out, still active [ 978.046380][T12061] binder: send failed reply for transaction 3051, target dead [ 978.051895][T24352] binder_alloc: binder_alloc_mmap_handler: 24345 20001000-20004000 already mapped failed -16 [ 978.057509][T12061] binder: send failed reply for transaction 3054, target dead [ 978.080617][T24348] binder: 24345:24348 ioctl c018620b 0 returned -14 [ 978.081802][T12061] binder: send failed reply for transaction 3055, target dead [ 978.089284][T24359] binder_alloc: 24345: binder_alloc_buf, no vma [ 978.102072][T12061] binder: send failed reply for transaction 3058, target dead [ 978.106098][T24359] binder_transaction: 2 callbacks suppressed [ 978.106113][T24359] binder: 24345:24359 transaction failed 29189/-3, size 24-8 line 3147 [ 978.110234][T12061] binder: send failed reply for transaction 3061 to 24345:24352 [ 978.120516][T24348] binder: 24345:24348 BC_INCREFS_DONE u0000000000000000 no match [ 978.124287][T12061] binder: send failed reply for transaction 3065 to 24354:24355 [ 978.131663][T24352] binder: 24345:24352 ioctl c0306201 0 returned -14 [ 978.140418][T24355] binder: 24354:24355 ioctl c018620b 0 returned -14 [ 978.161308][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 978.168258][T24355] binder: 24354:24355 got reply transaction with no transaction stack [ 978.169606][T24360] binder: 24354:24360 transaction failed 29189/-22, size 24-8 line 2994 [ 978.181664][T24355] binder: 24354:24355 transaction failed 29201/-71, size 0-0 line 2899 [ 978.198293][T12061] binder: undelivered TRANSACTION_ERROR: 29201 [ 978.204898][T12061] binder: undelivered TRANSACTION_ERROR: 29201 07:52:05 executing program 1: r0 = gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r1, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r1, 0xa, 0x12) fcntl$setownex(0xffffffffffffffff, 0xf, &(0x7f00000ff000)={0x0, r0}) recvmsg(r2, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r1, r2) r3 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r3, 0x16) 07:52:05 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) 07:52:05 executing program 4: r0 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000100)={'teql0\x00', 0x211}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="9c97c998fe0a2fa4328fe23a13f368b77d1e004ec0f1471e59cd9a222c4b4d9b", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:52:05 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x4800, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:52:05 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x3f00, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 979.401810][T24372] binder: 24365:24372 ioctl c018620b 0 returned -14 [ 979.403742][T24369] binder: 24369 RLIMIT_NICE not set [ 979.414674][T24370] binder: 24368:24370 ioctl c018620b 0 returned -14 [ 979.417727][T24372] binder: 24372 RLIMIT_NICE not set [ 979.427439][T24371] binder: 24366:24371 ioctl c018620b 0 returned -14 [ 979.434724][T24371] binder: 24371 RLIMIT_NICE not set [ 979.464396][T24377] binder: 24365:24377 unknown command -1731618916 [ 979.471197][T24377] binder: 24365:24377 ioctl c0306201 200002c0 returned -22 [ 979.479452][T24378] binder: BINDER_SET_CONTEXT_MGR already set [ 979.485576][T24378] binder: 24368:24378 ioctl 40046207 0 returned -16 [ 979.493250][T24378] binder: 24368:24378 ioctl c0306201 0 returned -14 07:52:05 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) [ 980.189989][T24383] binder: 24365:24383 ioctl c018620b 0 returned -14 [ 980.197820][T24377] binder: 24377 RLIMIT_NICE not set [ 980.197967][T24379] binder: 24366:24379 ioctl c018620b 0 returned -14 [ 980.210438][T24383] binder: 24365:24383 unknown command -1731618916 [ 980.217295][T24385] binder_alloc: binder_alloc_mmap_handler: 24368 20001000-20004000 already mapped failed -16 [ 980.222942][T31463] binder: send failed reply for transaction 3073, target dead 07:52:05 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) r1 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000100)={r4}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 980.227785][T24378] binder: 24368:24378 ioctl c018620b 0 returned -14 [ 980.240460][T31463] binder: send failed reply for transaction 3076 to 24365:24377 [ 980.249181][T24387] binder_alloc: 24368: binder_alloc_buf, no vma [ 980.249589][T24371] binder: 24371 RLIMIT_NICE not set [ 980.260610][T24383] binder: 24365:24383 ioctl c0306201 200002c0 returned -22 [ 980.269371][T24387] binder: 24368:24387 transaction failed 29189/-3, size 24-8 line 3147 [ 980.278162][T24386] binder_alloc: 24368: binder_alloc_buf, no vma 07:52:06 executing program 4: r0 = openat$dir(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x4103, 0x4) r1 = openat(r0, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r2 = creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r1, 0xc00c64b5, &(0x7f0000000100)={&(0x7f0000000040)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x9}) unlink(&(0x7f0000000940)='./file0\x00') ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) dup2(r1, r2) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 980.280261][T24378] binder: 24368:24378 BC_INCREFS_DONE u0000000000000000 no match [ 980.290882][T31463] binder: send failed reply for transaction 3079 to 24366:24379 [ 980.297449][T24386] binder: 24366:24386 transaction failed 29189/-3, size 24-8 line 3147 [ 980.300847][T31463] binder: send failed reply for transaction 3082 to 24368:24378 [ 980.320094][T24389] binder: 24389 RLIMIT_NICE not set [ 980.328407][T24385] binder: 24368:24385 ioctl c0306201 0 returned -14 07:52:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x4c00, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:52:06 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x4000, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 980.338034][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 980.353567][T31463] binder: undelivered TRANSACTION_COMPLETE 07:52:06 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) syz_open_dev$dmmidi(&(0x7f0000000040)='/dev/dmmidi#\x00', 0x9, 0x420000) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB='\fc\x00 '], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000100)=ANY=[@ANYBLOB="0000000000000000879f010482618070012e23ec34586410c180187a9747cb50"]], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 980.397287][T24397] binder: 24396:24397 ioctl c018620b 0 returned -14 [ 980.418334][T24400] binder: 24399:24400 ioctl c018620b 0 returned -14 [ 980.425738][T24400] binder: 24400 RLIMIT_NICE not set [ 980.443240][T24402] binder: 24401:24402 ioctl c018620b 0 returned -14 [ 980.450707][T24402] binder: 24401:24402 unknown command 536896268 [ 980.457690][T24402] binder: 24401:24402 ioctl c0306201 20000140 returned -22 [ 980.457709][T24403] binder: BINDER_SET_CONTEXT_MGR already set [ 980.473638][T24403] binder: 24396:24403 ioctl 40046207 0 returned -16 [ 980.483281][T24403] binder: 24396:24403 ioctl c0306201 0 returned -14 [ 980.512454][T24406] binder: 24401:24406 BC_INCREFS_DONE node 3099 has no pending increfs request [ 981.079726][T31463] binder_thread_release: 1 callbacks suppressed [ 981.079736][T31463] binder: release 24388:24392 transaction 3092 out, still active [ 981.106207][T24400] binder: 24399:24400 ioctl c018620b 0 returned -14 [ 981.106755][T24402] binder: 24401:24402 ioctl c018620b 0 returned -14 [ 981.112997][T24400] binder: 24400 RLIMIT_NICE not set [ 981.130519][T24406] binder: 24401:24406 unknown command 536896268 [ 981.131357][T24408] binder: 24399:24408 transaction failed 29189/-22, size 24-8 line 2994 [ 981.137356][T24406] binder: 24401:24406 ioctl c0306201 20000140 returned -22 [ 981.145608][T24404] binder: 24399:24404 BC_INCREFS_DONE u0000000000000000 no match [ 981.153148][T24402] binder: 24401:24402 transaction failed 29189/-22, size 24-8 line 2994 [ 981.169339][T24406] binder: 24401:24406 BC_INCREFS_DONE u0000000000000000 no match [ 981.188079][T24403] binder_alloc: binder_alloc_mmap_handler: 24396 20001000-20004000 already mapped failed -16 [ 981.210912][T24403] binder: 24396:24403 ioctl c018620b 0 returned -14 [ 981.216773][T24411] binder_alloc: 24396: binder_alloc_buf, no vma [ 981.224365][T24411] binder: 24396:24411 transaction failed 29189/-3, size 24-8 line 3147 [ 981.232737][T24410] binder: 24396:24410 ioctl c0306201 0 returned -14 [ 981.232765][T24403] binder: 24396:24403 BC_INCREFS_DONE u0000000000000000 no match [ 982.153453][ C1] net_ratelimit: 20 callbacks suppressed [ 982.153461][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 982.164918][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 982.170721][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 982.176485][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 982.182247][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 982.188007][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:52:08 executing program 1: gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r0, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r0, 0xa, 0x12) fcntl$setownex(r0, 0xf, 0x0) recvmsg(r1, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r0, r1) r2 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r2, 0x16) 07:52:08 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) 07:52:08 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0) r0 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$KVM_SET_TSS_ADDR(r0, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000100)={r3}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:08 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x1000000, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:08 executing program 4: r0 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f0000000040)={0x2, [0x0, 0x0]}, &(0x7f0000000100)=0xc) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r0, 0x84, 0x66, &(0x7f0000000180)={r2}, &(0x7f00000001c0)=0x8) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r3 = syz_open_dev$binder(&(0x7f0000000580)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r3, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) r4 = dup2(r3, r1) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$EXT4_IOC_SWAP_BOOT(r3, 0x6611) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') getsockopt$sock_cred(r4, 0x1, 0x11, &(0x7f0000000380)={0x0}, &(0x7f00000003c0)=0xc) capset(&(0x7f0000000480)={0x19980330, r5}, &(0x7f00000004c0)={0x0, 0xfffffffffffffff8, 0x8001, 0x1023, 0x10000, 0x8}) 07:52:08 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x6800, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 982.452073][T24421] binder: 24416:24421 ioctl c018620b 0 returned -14 [ 982.452338][T24420] binder: 24415:24420 ioctl c018620b 0 returned -14 [ 982.462456][T24422] binder: 24422 RLIMIT_NICE not set [ 982.475167][T24421] binder: 24421 RLIMIT_NICE not set [ 982.477298][T24418] binder: 24417:24418 ioctl c018620b 0 returned -14 [ 982.521256][T24427] binder: BINDER_SET_CONTEXT_MGR already set [ 982.527645][T24427] binder: 24415:24427 ioctl 40046207 0 returned -16 [ 982.528942][T24428] binder: 24416:24428 ioctl 6611 0 returned -22 [ 982.535410][T24427] binder: 24415:24427 ioctl c0306201 0 returned -14 [ 982.883456][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 982.889358][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 982.895219][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 982.900946][ C0] protocol 88fb is buggy, dev hsr_slave_1 07:52:08 executing program 5: read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) 07:52:08 executing program 5: read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) 07:52:08 executing program 5: read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) 07:52:08 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) 07:52:08 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) 07:52:08 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) [ 983.242881][T24428] binder: 24416:24428 ioctl c018620b 0 returned -14 [ 983.243294][T24429] binder: 24417:24429 ioctl c018620b 0 returned -14 [ 983.253627][T12061] binder: release 24414:24425 transaction 3109 out, still active [ 983.264317][T24450] binder_alloc: binder_alloc_mmap_handler: 24415 20001000-20004000 already mapped failed -16 [ 983.276831][T24428] binder: 24416:24428 ioctl 6611 0 returned -22 [ 983.279874][T12061] binder: release 24417:24452 transaction 3121 out, still active [ 983.311738][T24427] binder: 24415:24427 ioctl c018620b 0 returned -14 [ 983.314916][T12061] binder_send_failed_reply: 1 callbacks suppressed [ 983.314923][T12061] binder: send failed reply for transaction 3109, target dead [ 983.339287][T24450] binder_alloc: 24415: binder_alloc_buf, no vma [ 983.345717][T24450] binder: 24415:24450 transaction failed 29189/-3, size 24-8 line 3147 [ 983.355170][T12061] binder_send_failed_reply: 4 callbacks suppressed [ 983.355203][T12061] binder: send failed reply for transaction 3112 to 24416:24428 [ 983.363606][T24427] binder: 24415:24427 BC_INCREFS_DONE u0000000000000000 no match [ 983.369508][T12061] binder: send failed reply for transaction 3115 to 24415:24427 [ 983.383159][T24450] binder: 24415:24450 ioctl c0306201 0 returned -14 [ 983.384917][T12061] binder: send failed reply for transaction 3118 to 24417:24429 [ 983.407849][T12061] binder: send failed reply for transaction 3121, target dead [ 983.416134][T12061] binder: send failed reply for transaction 3124 to 24416:24449 [ 983.424036][T12061] binder_release_work: 5 callbacks suppressed [ 983.424040][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 983.436451][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 983.442675][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 983.448975][T12061] binder: undelivered TRANSACTION_ERROR: 29189 07:52:11 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x3f000000, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:11 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) 07:52:11 executing program 1: gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r0, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r0, 0xa, 0x12) fcntl$setownex(r0, 0xf, 0x0) recvmsg(r1, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r0, r1) r2 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r2, 0x16) 07:52:11 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r0 = creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:52:11 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0) r0 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$KVM_SET_TSS_ADDR(r0, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000100)={r3}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x6c00, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:52:11 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) [ 985.508553][T24459] binder: 24458:24459 ioctl c018620b 0 returned -14 [ 985.510221][T24465] binder: 24464:24465 ioctl c018620b 0 returned -14 [ 985.522731][T24463] binder_set_nice: 3 callbacks suppressed [ 985.522739][T24463] binder: 24463 RLIMIT_NICE not set [ 985.523883][T24459] binder: 24459 RLIMIT_NICE not set [ 985.542426][T24467] binder: 24467 RLIMIT_NICE not set [ 985.548965][T24467] binder: 24466:24467 transaction failed 29189/-22, size 24-8 line 2994 [ 985.558429][T24467] binder: 24466:24467 BC_INCREFS_DONE u0000000000000000 no match [ 985.569846][T24467] binder: 24467 RLIMIT_NICE not set [ 985.579671][T12061] binder: release 24466:24475 transaction 3137 out, still active [ 985.588789][T24477] binder: BINDER_SET_CONTEXT_MGR already set 07:52:11 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x4) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r1 = creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) ioctl$EXT4_IOC_GROUP_EXTEND(r0, 0x40046607, &(0x7f0000000040)=0xffffffffffffc80a) unlink(&(0x7f0000000940)='./file0\x00') r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) setsockopt$inet_udp_int(r1, 0x11, 0x6f, &(0x7f0000000100)=0x2, 0x4) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:52:11 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(0xffffffffffffffff, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) [ 985.608174][T24477] binder: 24464:24477 ioctl 40046207 0 returned -16 [ 985.619442][T24477] binder: 24464:24477 ioctl c0306201 0 returned -14 07:52:11 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, 0x0, 0x0) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) 07:52:11 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, 0x0, 0x0) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) [ 985.659235][T24483] binder: 24482:24483 ioctl c018620b 0 returned -14 [ 985.674243][T24483] binder: 24483 RLIMIT_NICE not set 07:52:11 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, 0x0, 0x0) ioctl$int_in(r0, 0x800000c0045005, &(0x7f0000000040)=0x5) [ 986.290251][T24495] binder: 24458:24495 ioctl c018620b 0 returned -14 [ 986.298060][T24472] binder: 24472 RLIMIT_NICE not set [ 986.303649][T12061] binder: release 24462:24470 transaction 3131 out, still active [ 986.312205][T24477] binder_alloc: binder_alloc_mmap_handler: 24464 20001000-20004000 already mapped failed -16 [ 986.323894][T24477] binder: 24464:24477 ioctl c018620b 0 returned -14 [ 986.330578][T12061] binder: send failed reply for transaction 3131, target dead [ 986.330598][T12061] binder: send failed reply for transaction 3134 to 24458:24472 [ 986.338983][T24497] binder_alloc: 24464: binder_alloc_buf, no vma [ 986.350962][T12061] binder: send failed reply for transaction 3137, target dead [ 986.354043][T24483] binder: 24482:24483 ioctl c018620b 0 returned -14 [ 986.366999][T24497] binder: 24464:24497 transaction failed 29189/-3, size 24-8 line 3147 [ 986.373733][T12061] binder: send failed reply for transaction 3140 to 24464:24477 [ 986.380749][T24489] binder: 24489 RLIMIT_NICE not set 07:52:12 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x40000000, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:12 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) [ 986.389612][T24477] binder: 24464:24477 BC_INCREFS_DONE u0000000000000000 no match [ 986.397849][T12061] binder: send failed reply for transaction 3143 to 24482:24489 [ 986.408147][T12061] binder: send failed reply for transaction 3146 to 24458:24495 [ 986.416054][T24489] binder_alloc: 24464: binder_alloc_buf, no vma [ 986.423564][T24496] binder: 24464:24496 ioctl c0306201 0 returned -14 [ 986.439555][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 986.452885][T12061] binder: undelivered TRANSACTION_COMPLETE [ 986.455764][T24489] binder: 24482:24489 transaction failed 29189/-3, size 24-8 line 3147 [ 986.471372][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 986.472247][T24483] binder: 24482:24483 BC_INCREFS_DONE u0000000000000000 no match [ 986.488167][T24504] binder: 24503:24504 ioctl c018620b 0 returned -14 [ 986.488512][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 986.500063][T24504] binder: 24504 RLIMIT_NICE not set [ 986.519809][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 986.546478][T24507] binder: 24503:24507 transaction failed 29189/-22, size 24-8 line 2994 [ 986.555431][T24507] binder: 24503:24507 BC_INCREFS_DONE u0000000000000000 no match [ 987.262957][T24509] binder: 24503:24509 ioctl c018620b 0 returned -14 [ 987.270194][T24507] binder: 24507 RLIMIT_NICE not set [ 987.270916][T24510] binder: 24503:24510 transaction failed 29189/-22, size 24-8 line 2994 [ 988.393488][ C1] net_ratelimit: 20 callbacks suppressed [ 988.393496][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 988.405069][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 988.410864][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 988.416645][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 988.422409][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 988.428169][ C1] protocol 88fb is buggy, dev hsr_slave_1 07:52:14 executing program 1: gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r0, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r0, 0xa, 0x12) fcntl$setownex(r0, 0xf, 0x0) recvmsg(r1, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r0, r1) r2 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r2, 0x16) 07:52:14 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0) r0 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$KVM_SET_TSS_ADDR(r0, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000100)={r3}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x7400, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 07:52:14 executing program 4: r0 = socket$bt_hidp(0x1f, 0x3, 0x6) lseek(r0, 0x0, 0x0) r1 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0xffffffa9) r2 = creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r3 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r3, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="c2185252684ad4abb27e99ae45c0b9e1ac5374a08165179a458d0a7fd5cd66b317561e1384eb629e3da76661cbf6d5cb88999bd765519f6e7409eadb83494f6b3b49c3183db35285c67a2c2fc8160f3967051178009e3d781883e3a73f2cf01e4dc6921137c86c45d36353e6ed1cd30fbfff002601adbeef79ed44898c883b8daa367e64c7b3959095"], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) ioctl$ASHMEM_GET_SIZE(r1, 0x7704, 0x0) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x23, 0x0, &(0x7f0000000180)=ANY=[@ANYRESOCT=r2, @ANYRES64=0x0, @ANYBLOB='H\x00\x00\x00'], 0x0, 0x0, 0x0}) chdir(&(0x7f00000000c0)='./file0\x00') openat(r1, &(0x7f0000000040)='.\x00', 0x2800, 0x0) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') 07:52:14 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) 07:52:14 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0xfdfdffff, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 988.563495][T24520] binder: 24518:24520 ioctl c018620b 0 returned -14 [ 988.568945][T24521] binder: 24521 RLIMIT_NICE not set [ 988.572627][T24514] binder: 24512:24514 ioctl c018620b 0 returned -14 [ 988.578342][T24516] binder: 24515:24516 ioctl c018620b 0 returned -14 [ 988.583870][T24520] binder: 24518:24520 unknown command 1381112002 [ 988.595457][T24520] binder: 24518:24520 ioctl c0306201 20000140 returned -22 [ 988.604206][T24520] binder: 24518:24520 transaction failed 29189/-22, size 24-8 line 2994 [ 988.612882][T24520] binder: 24518:24520 unknown command 926363952 [ 988.619855][T24520] binder: 24518:24520 ioctl c0306201 200001c0 returned -22 [ 988.631204][T24520] binder: 24518:24520 ioctl c018620b 0 returned -14 [ 988.638004][T24520] binder: 24518:24520 unknown command 1381112002 [ 988.645779][T24528] binder: BINDER_SET_CONTEXT_MGR already set [ 988.646030][T24527] binder: 24518:24527 transaction failed 29189/-22, size 24-8 line 2994 07:52:14 executing program 4: openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r0 = creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 988.655840][T24528] binder: 24515:24528 ioctl 40046207 0 returned -16 [ 988.662604][T24529] binder: 24518:24529 unknown command 926363952 [ 988.673451][T24520] binder: 24518:24520 ioctl c0306201 20000140 returned -22 [ 988.673497][T24529] binder: 24518:24529 ioctl c0306201 200001c0 returned -22 [ 988.680955][T24528] binder: 24515:24528 ioctl c0306201 0 returned -14 [ 988.717880][T24533] binder: 24532:24533 ioctl c018620b 0 returned -14 07:52:14 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(0xffffffffffffffff, 0x800000c0045005, &(0x7f0000000040)=0x5) [ 989.113489][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 989.119324][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 989.125142][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 989.130879][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 989.349724][T24539] binder: 24512:24539 ioctl c018620b 0 returned -14 [ 989.353830][T24540] binder_alloc: binder_alloc_mmap_handler: 24515 20001000-20004000 already mapped failed -16 [ 989.357365][T12061] binder: release 24512:24526 transaction 3159 out, still active [ 989.372009][T24528] binder: 24515:24528 ioctl c018620b 0 returned -14 [ 989.376425][T12061] binder: release 24512:24541 transaction 3169 out, still active [ 989.389112][T12061] binder: release 24513:24525 transaction 3156 out, still active 07:52:15 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0xfffffdfd, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:15 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x1}, 0x20) r0 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$KVM_SET_TSS_ADDR(r0, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000100)={r3}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) [ 989.403771][T24540] binder: BINDER_SET_CONTEXT_MGR already set [ 989.440454][T24540] binder: 24515:24540 ioctl 40046207 0 returned -16 [ 989.451244][T24528] binder: 24515:24528 BC_INCREFS_DONE u0000000000000000 no match [ 989.459187][T24542] binder_alloc: 24513: binder_alloc_buf, no vma [ 989.459220][T24542] binder: 24515:24542 transaction failed 29189/-3, size 24-8 line 3147 [ 989.471917][T24549] binder: 24515:24549 ioctl c0306201 0 returned -14 [ 989.473939][T31463] binder: send failed reply for transaction 3156, target dead [ 989.485271][T24548] binder: 24547:24548 ioctl c018620b 0 returned -14 [ 989.488656][T31463] binder: send failed reply for transaction 3159, target dead 07:52:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x7a00, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 989.502822][T24533] binder: 24532:24533 ioctl c018620b 0 returned -14 [ 989.512065][T31463] binder: send failed reply for transaction 3163 to 24515:24528 [ 989.519913][T31463] binder: send failed reply for transaction 3166 to 24532:24534 [ 989.527665][T31463] binder: send failed reply for transaction 3169, target dead [ 989.539750][T31463] binder: release 24532:24534 transaction 3173 out, still active 07:52:15 executing program 4: r0 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(0xffffffffffffffff, 0x1) setsockopt$XDP_UMEM_COMPLETION_RING(r0, 0x11b, 0x6, &(0x7f0000000040)=0x40, 0x4) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') [ 989.557318][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 989.568511][T31463] binder: undelivered TRANSACTION_ERROR: 29189 [ 989.580497][T24554] binder: 24553:24554 ioctl c018620b 0 returned -14 [ 989.583333][T24556] binder: 24555:24556 ioctl c018620b 0 returned -14 [ 989.634740][T24557] binder: BINDER_SET_CONTEXT_MGR already set [ 989.641029][T24557] binder: 24553:24557 ioctl 40046207 0 returned -16 [ 989.649251][T24557] binder: 24553:24557 ioctl c0306201 0 returned -14 [ 990.250785][T31463] binder: release 24545:24550 transaction 3175 out, still active [ 990.260169][T24552] binder: 24547:24552 ioctl c018620b 0 returned -14 [ 990.268127][T12061] binder: send failed reply for transaction 3173, target dead [ 990.275956][T24548] binder: 24547:24548 transaction failed 29189/-22, size 24-8 line 2994 [ 990.276387][T24556] binder: 24555:24556 ioctl c018620b 0 returned -14 [ 990.293450][T12061] binder: send failed reply for transaction 3175, target dead [ 990.309938][T24558] binder: 24555:24558 BC_INCREFS_DONE u0000000000000000 no match [ 990.319163][T12061] binder: send failed reply for transaction 3180 to 24547:24552 [ 990.328168][T12061] binder: send failed reply for transaction 3183 to 24555:24558 [ 990.336264][T24556] binder: 24555:24556 transaction failed 29189/-22, size 24-8 line 2994 [ 990.344800][T12061] binder: send failed reply for transaction 3186 to 24553:24557 [ 990.354143][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 990.360444][T12061] binder: undelivered TRANSACTION_ERROR: 29189 [ 990.379113][T24565] binder_alloc: binder_alloc_mmap_handler: 24553 20001000-20004000 already mapped failed -16 [ 990.389513][T24557] binder: 24553:24557 ioctl c018620b 0 returned -14 [ 990.396616][T24566] binder_alloc: 24553: binder_alloc_buf, no vma [ 990.402960][T24566] binder: 24553:24566 transaction failed 29189/-3, size 24-8 line 3147 [ 990.412955][T24557] binder: 24553:24557 BC_INCREFS_DONE u0000000000000000 no match [ 990.415841][T24565] binder: 24553:24565 ioctl c0306201 0 returned -14 [ 990.428560][T31463] binder: undelivered TRANSACTION_ERROR: 29189 07:52:17 executing program 1: gettid() socketpair$unix(0x1, 0x200000000005, 0x0, &(0x7f000087fff8)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$int_in(r0, 0x5452, &(0x7f0000000300)=0x8e4) fcntl$setsig(r0, 0xa, 0x12) fcntl$setownex(r0, 0xf, &(0x7f00000ff000)) recvmsg(r1, &(0x7f0000172fc8)={0x0, 0x0, 0x0}, 0x0) dup2(r0, r1) r2 = gettid() mmap(&(0x7f0000000000/0x709000)=nil, 0x709000, 0xfffffffffffffffc, 0x32, 0xffffffffffffffff, 0x0) tkill(r2, 0x16) 07:52:17 executing program 0: openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x0, 0x2) memfd_create(&(0x7f0000000600)='\xe87y\xd8\x0e\xfaE\xbb\x7fH\xbe\xbc\x95\x87\v\xd0\xcd9\xbd(0\xeeG\xaf\xe7\xb3?\xc7x\xbd\xe2R\xc5\r.', 0x0) syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000440)='./file0\x00', 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x1}, 0x20) r0 = creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, &(0x7f0000000980), 0x4) unlink(&(0x7f0000000940)='./file0\x00') r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$KVM_SET_TSS_ADDR(r0, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f00000006c0)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000100)={r3}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"}) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:17 executing program 2: syz_open_dev$sndseq(0x0, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) creat(&(0x7f0000000840)='./file0\x00', 0x101) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(0x0) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_TSS_ADDR(0xffffffffffffffff, 0xae47, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x100000000000000, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) shutdown(0xffffffffffffffff, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, &(0x7f0000000780)}) 07:52:17 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x0, &(0x7f0000000040)=0x5) 07:52:17 executing program 4: r0 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x2000, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e}, 0x2c) r1 = creat(0x0, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) unlink(&(0x7f0000000940)='./file0\x00') bpf$BPF_GET_MAP_INFO(0xf, &(0x7f00000003c0)={r1, 0x28, &(0x7f0000000280)={0x0, 0x0}}, 0x10) bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000480)={r2, 0x473e, 0x18}, 0xc) r3 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r3, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000004c0)=ANY=[@ANYBLOB="007c00966b80a65071bfbec3c56eba0500"], 0x24, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c"}) shutdown(r0, 0x1) ioctl$SG_IO(r0, 0x2285, &(0x7f0000000780)={0x0, 0xffffffffffffffff, 0x41, 0xe756, @scatter={0x2, 0x0, &(0x7f0000000500)=[{&(0x7f00000000c0)=""/12, 0xc}, {&(0x7f0000000580)=""/228, 0xe4}]}, &(0x7f0000000680)="a919c925136442c0ea05d5c4cebdc7fcb7f2a41a9f8f893744c88617920771ed774e783d7fac6ed9c96ecc51ad11c8c36170525330fe687bf92cfcb8cc748a02a8", &(0x7f0000000980)=""/4096, 0xffffffffffffffc0, 0x10000, 0x1, &(0x7f0000000740)}) prctl$PR_SET_NAME(0xf, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB="000000400000da3b"]], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$sock_inet_SIOCSIFNETMASK(r0, 0x891c, &(0x7f00000001c0)={'gretap0\x00', {0x2, 0x4e22, @rand_addr=0xc2}}) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB="bee5b7eb3d15bc291d00000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0}) syz_genetlink_get_family_id$tipc2(&(0x7f0000000540)='TIPCv2\x00') accept4$packet(r0, &(0x7f0000000040)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000000100)=0x14, 0x800) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'veth0\x00', r4}) 07:52:17 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x1000000, &(0x7f00000000c0)=[@enter_looper], 0x5, 0x0, &(0x7f0000000700)="2ba063fb30"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 991.619932][T24573] binder_set_nice: 7 callbacks suppressed [ 991.619938][T24573] binder: 24573 RLIMIT_NICE not set [ 991.621955][T24575] binder: 24568:24575 ioctl c018620b 0 returned -14 [ 991.639191][T24576] binder: 24574:24576 ioctl c018620b 0 returned -14 [ 991.647009][T24576] binder: 24574:24576 unknown command -1778353152 [ 991.653807][T24577] binder: 24571:24577 ioctl c018620b 0 returned -14 [ 991.654742][T24576] binder: 24574:24576 ioctl c0306201 20000140 returned -22 [ 991.660590][T24575] binder: 24575 RLIMIT_NICE not set [ 991.669729][T24576] binder: 24574:24576 transaction failed 29189/-22, size 24-8 line 2994 [ 991.689386][T24576] binder: 24574:24576 unknown command -340269634 [ 991.695906][T24576] binder: 24574:24576 ioctl c0306201 200002c0 returned -22 [ 991.710293][T24584] binder: 24574:24584 ioctl c018620b 0 returned -14 [ 991.717780][T24585] binder: BINDER_SET_CONTEXT_MGR already set [ 991.719846][T24586] binder: 24574:24586 unknown command -340269634 [ 991.723974][T24576] binder: 24574:24576 unknown command -1778353152 [ 991.733465][T24585] binder: 24571:24585 ioctl 40046207 0 returned -16 [ 991.737183][T24576] binder: 24574:24576 ioctl c0306201 20000140 returned -22 [ 991.748454][T24584] ------------[ cut here ]------------ [ 991.752645][T24586] binder: 24574:24586 ioctl c0306201 200002c0 returned -22 [ 991.756038][T24584] kernel BUG at drivers/android/binder_alloc.c:1141! [ 991.758824][T24585] binder: 24571:24585 ioctl c0306201 0 returned -14 [ 991.768058][T24584] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 991.782780][T24584] CPU: 1 PID: 24584 Comm: syz-executor.4 Not tainted 5.1.0-rc2 #36 [ 991.790657][T24584] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 991.800757][T24584] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 991.807234][T24584] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf f9 23 fc 4c 89 e6 4c 89 ef e8 d4 fa 23 fc 4d 39 e5 76 07 e8 aa f9 23 fc <0f> 0b e8 a3 f9 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1 [ 991.826826][T24584] RSP: 0018:ffff88805f1976d8 EFLAGS: 00010216 [ 991.832865][T24584] RAX: 0000000000040000 RBX: 0000000020001040 RCX: ffffc9000e860000 [ 991.840810][T24584] RDX: 0000000000000429 RSI: ffffffff854c77d6 RDI: 0000000000000006 [ 991.848755][T24584] RBP: ffff88805f197758 R08: ffff888056b462c0 R09: 0000000000000028 [ 991.856700][T24584] R10: ffffed100be32f32 R11: ffff88805f197997 R12: 0000000000000020 [ 991.864645][T24584] R13: 0000000000000028 R14: ffff8880a5042fd0 R15: 0000000000000000 [ 991.872604][T24584] FS: 0000000000000000(0000) GS:ffff8880ae900000(0063) knlGS:00000000f5dd3b40 [ 991.881514][T24584] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 991.888081][T24584] CR2: 00000000f5d90ecc CR3: 00000000940aa000 CR4: 00000000001406e0 [ 991.896033][T24584] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 991.904152][T24584] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 991.912098][T24584] Call Trace: [ 991.915367][T24584] ? memcpy+0x46/0x50 [ 991.919336][T24584] binder_alloc_copy_from_buffer+0x37/0x42 [ 991.925168][T24584] binder_get_object+0xc3/0x200 [ 991.930005][T24584] binder_transaction+0x2b4a/0x6690 [ 991.935186][T24584] ? binder_thread_read+0x3d50/0x3d50 [ 991.940532][T24584] ? __lock_acquire+0x548/0x3fb0 [ 991.945447][T24584] ? __might_fault+0x12b/0x1e0 [ 991.950187][T24584] ? lock_downgrade+0x880/0x880 [ 991.955032][T24584] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 991.961304][T24584] ? _copy_from_user+0xdd/0x150 [ 991.966136][T24584] binder_thread_write+0x64a/0x2820 [ 991.971312][T24584] ? binder_transaction+0x6690/0x6690 [ 991.976659][T24584] ? __might_fault+0x12b/0x1e0 [ 991.981403][T24584] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 991.987619][T24584] ? _copy_from_user+0xdd/0x150 [ 991.992530][T24584] binder_ioctl+0x1033/0x183b [ 991.997185][T24584] ? binder_thread_write+0x2820/0x2820 [ 992.002627][T24584] ? __fget+0x381/0x550 [ 992.006769][T24584] ? ksys_dup3+0x3e0/0x3e0 [ 992.011215][T24584] ? get_old_timespec32+0x200/0x200 [ 992.016531][T24584] ? tomoyo_file_ioctl+0x23/0x30 [ 992.021443][T24584] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 992.027672][T24584] ? security_file_ioctl+0x93/0xc0 [ 992.032762][T24584] ? binder_thread_write+0x2820/0x2820 [ 992.038232][T24584] __ia32_compat_sys_ioctl+0x197/0x620 [ 992.043670][T24584] do_fast_syscall_32+0x281/0xc98 [ 992.048677][T24584] entry_SYSENTER_compat+0x70/0x7f [ 992.053766][T24584] RIP: 0023:0xf7ff8869 [ 992.057813][T24584] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 992.077590][T24584] RSP: 002b:00000000f5dd30cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036 [ 992.085982][T24584] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000c0306201 [ 992.093933][T24584] RDX: 0000000020000440 RSI: 0000000000000000 RDI: 0000000000000000 [ 992.101879][T24584] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 992.109824][T24584] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 07:52:17 executing program 5: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) read$eventfd(r0, &(0x7f0000000140), 0x2dd) ioctl$int_in(r0, 0x0, &(0x7f0000000040)=0x5) [ 992.117771][T24584] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 992.125893][T24584] Modules linked in: [ 992.130231][T24584] ---[ end trace e7c8f41472edbd79 ]--- [ 992.135976][T24584] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 992.143737][T24584] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf f9 23 fc 4c 89 e6 4c 89 ef e8 d4 fa 23 fc 4d 39 e5 76 07 e8 aa f9 23 fc <0f> 0b e8 a3 f9 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1 [ 992.155622][ T3876] kobject: 'loop5' (00000000b5414826): kobject_uevent_env [ 992.163585][T24584] RSP: 0018:ffff88805f1976d8 EFLAGS: 00010216 [ 992.172701][ T3876] kobject: 'loop5' (00000000b5414826): fill_kobj_path: path = '/devices/virtual/block/loop5' [ 992.176734][T24584] RAX: 0000000000040000 RBX: 0000000020001040 RCX: ffffc9000e860000 [ 992.176743][T24584] RDX: 0000000000000429 RSI: ffffffff854c77d6 RDI: 0000000000000006 [ 992.176750][T24584] RBP: ffff88805f197758 R08: ffff888056b462c0 R09: 0000000000000028 [ 992.176757][T24584] R10: ffffed100be32f32 R11: ffff88805f197997 R12: 0000000000000020 [ 992.176765][T24584] R13: 0000000000000028 R14: ffff8880a5042fd0 R15: 0000000000000000 [ 992.176776][T24584] FS: 0000000000000000(0000) GS:ffff8880ae900000(0063) knlGS:00000000f5dd3b40 [ 992.176784][T24584] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 992.176792][T24584] CR2: 00000000f5d90ecc CR3: 00000000940aa000 CR4: 00000000001406e0 [ 992.176805][T24584] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 992.258383][T24584] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 992.266402][T24584] Kernel panic - not syncing: Fatal exception [ 992.273291][T24584] Kernel Offset: disabled [ 992.277605][T24584] Rebooting in 86400 seconds..