[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 100.210020] audit: type=1800 audit(1551488050.255:25): pid=11585 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 100.229270] audit: type=1800 audit(1551488050.255:26): pid=11585 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 100.248801] audit: type=1800 audit(1551488050.285:27): pid=11585 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. 2019/03/02 00:54:26 fuzzer started 2019/03/02 00:54:31 dialing manager at 10.128.0.26:33059 2019/03/02 00:54:32 syscalls: 1 2019/03/02 00:54:32 code coverage: enabled 2019/03/02 00:54:32 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled 2019/03/02 00:54:32 extra coverage: extra coverage is not supported by the kernel 2019/03/02 00:54:32 setuid sandbox: enabled 2019/03/02 00:54:32 namespace sandbox: enabled 2019/03/02 00:54:32 Android sandbox: /sys/fs/selinux/policy does not exist 2019/03/02 00:54:32 fault injection: enabled 2019/03/02 00:54:32 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/03/02 00:54:32 net packet injection: enabled 2019/03/02 00:54:32 net device setup: enabled 00:57:25 executing program 0: syz_open_dev$evdev(&(0x7f0000000180)='/dev/input/event#\x00', 0x0, 0x0) pipe(&(0x7f0000000300)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$LOOP_SET_FD(r1, 0x4c00, r1) r2 = syz_open_dev$loop(&(0x7f00000001c0)='/dev/loop#\x00', 0x0, 0x0) r3 = fcntl$dupfd(0xffffffffffffffff, 0x0, 0xffffffffffffffff) socket$nl_route(0x10, 0x3, 0x0) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f00000002c0)='keyring\x00', &(0x7f0000000280)={'syz'}, 0x0, 0x0, 0xfffffffffffffffd) ioctl$KDSKBMODE(r3, 0x4b45, &(0x7f0000000000)=0x7) keyctl$unlink(0x9, r5, 0xfffffffffffffffd) r6 = dup(r3) syncfs(r0) unshare(0x40000000) epoll_ctl$EPOLL_CTL_MOD(r3, 0x3, r1, 0xfffffffffffffffd) fsetxattr$trusted_overlay_redirect(r4, &(0x7f0000000080)='trusted.overlay.redirect\x00', &(0x7f0000000140)='./file0\x00', 0x8, 0x0) ioctl$sock_inet_SIOCADDRT(r6, 0x890b, &(0x7f0000000780)={0x0, {0x2, 0x4e20, @loopback}, {0x2, 0x4e21, @broadcast}, {0x2, 0x0, @broadcast}, 0x100, 0x0, 0x0, 0x0, 0x40, 0x0, 0x800, 0x100000000, 0x6}) sysinfo(&(0x7f0000000700)=""/94) sendfile(0xffffffffffffffff, r2, &(0x7f0000000040), 0xb8f) syzkaller login: [ 296.359075] IPVS: ftp: loaded support on port[0] = 21 [ 296.524587] chnl_net:caif_netlink_parms(): no params data found [ 296.609205] bridge0: port 1(bridge_slave_0) entered blocking state [ 296.615857] bridge0: port 1(bridge_slave_0) entered disabled state [ 296.624668] device bridge_slave_0 entered promiscuous mode [ 296.634744] bridge0: port 2(bridge_slave_1) entered blocking state [ 296.641259] bridge0: port 2(bridge_slave_1) entered disabled state [ 296.649857] device bridge_slave_1 entered promiscuous mode [ 296.687786] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 296.699508] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 296.732421] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 296.741046] team0: Port device team_slave_0 added [ 296.748549] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 296.757258] team0: Port device team_slave_1 added [ 296.765040] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 296.774618] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 296.957682] device hsr_slave_0 entered promiscuous mode [ 297.083609] device hsr_slave_1 entered promiscuous mode [ 297.344648] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 297.352557] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 297.385800] bridge0: port 2(bridge_slave_1) entered blocking state [ 297.392384] bridge0: port 2(bridge_slave_1) entered forwarding state [ 297.399578] bridge0: port 1(bridge_slave_0) entered blocking state [ 297.406193] bridge0: port 1(bridge_slave_0) entered forwarding state [ 297.508993] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 297.515811] 8021q: adding VLAN 0 to HW filter on device bond0 [ 297.530029] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 297.543893] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 297.557162] bridge0: port 1(bridge_slave_0) entered disabled state [ 297.567206] bridge0: port 2(bridge_slave_1) entered disabled state [ 297.580604] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 297.600373] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 297.606651] 8021q: adding VLAN 0 to HW filter on device team0 [ 297.623745] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 297.632649] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 297.641325] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 297.649634] bridge0: port 1(bridge_slave_0) entered blocking state [ 297.656199] bridge0: port 1(bridge_slave_0) entered forwarding state [ 297.673820] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 297.687468] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 297.695272] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 297.704042] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 297.712512] bridge0: port 2(bridge_slave_1) entered blocking state [ 297.719553] bridge0: port 2(bridge_slave_1) entered forwarding state [ 297.728764] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 297.748770] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 297.762997] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 297.777187] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 297.790058] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 297.798197] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 297.807740] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 297.816790] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 297.825663] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 297.835323] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 297.844273] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 297.852914] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 297.863911] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 297.880332] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 297.887886] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 297.896556] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 297.916366] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 297.922512] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 297.950558] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 297.972637] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 298.212964] hrtimer: interrupt took 32996 ns [ 298.221112] IPVS: ftp: loaded support on port[0] = 21 [ 298.353343] IPVS: ftp: loaded support on port[0] = 21 00:57:29 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 299.037511] binder: 11761:11762 BC_INCREFS_DONE u0000000000000000 node 1 cookie mismatch 0000000000000001 != 0000000000000000 [ 299.049203] binder: 11761:11762 got transaction to context manager from process owning it [ 299.057748] binder: 11761:11762 transaction failed 29201/-22, size 0-0 line 2887 00:57:29 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 299.111418] binder: undelivered TRANSACTION_ERROR: 29201 [ 299.117131] binder: send failed reply for transaction 2 to 11761:11762 [ 299.124635] binder: undelivered TRANSACTION_COMPLETE [ 299.129807] binder: undelivered TRANSACTION_ERROR: 29189 [ 299.183303] binder: 11764:11765 BC_INCREFS_DONE u0000000000000000 node 7 cookie mismatch 0000000000000001 != 0000000000000000 [ 299.195073] binder: 11764:11765 got transaction to context manager from process owning it [ 299.203570] binder: 11764:11765 transaction failed 29201/-22, size 0-0 line 2887 [ 299.213676] binder: release 11764:11765 transaction 8 out, still active [ 299.220485] binder: unexpected work type, 4, not freed [ 299.225930] binder: undelivered TRANSACTION_COMPLETE 00:57:29 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 299.281168] binder: undelivered TRANSACTION_ERROR: 29201 [ 299.286857] binder: send failed reply for transaction 8, target dead [ 299.383619] binder: 11767:11768 BC_INCREFS_DONE u0000000000000000 node 13 cookie mismatch 0000000000000001 != 0000000000000000 [ 299.395457] binder: 11767:11768 got transaction to context manager from process owning it [ 299.403963] binder: 11767:11768 transaction failed 29201/-22, size 0-0 line 2887 [ 299.413632] binder: release 11767:11768 transaction 14 out, still active [ 299.420531] binder: unexpected work type, 4, not freed [ 299.426012] binder: undelivered TRANSACTION_COMPLETE 00:57:29 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 299.474971] binder: undelivered TRANSACTION_ERROR: 29201 [ 299.480536] binder: send failed reply for transaction 14, target dead [ 299.529804] binder: 11769:11771 BC_INCREFS_DONE u0000000000000000 node 19 cookie mismatch 0000000000000001 != 0000000000000000 [ 299.541767] binder: 11769:11771 got transaction to context manager from process owning it [ 299.550265] binder: 11769:11771 transaction failed 29201/-22, size 0-0 line 2887 [ 299.560948] binder: release 11769:11771 transaction 20 out, still active [ 299.568061] binder: unexpected work type, 4, not freed [ 299.573529] binder: undelivered TRANSACTION_COMPLETE 00:57:29 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 299.628974] binder: undelivered TRANSACTION_ERROR: 29201 [ 299.634744] binder: send failed reply for transaction 20, target dead [ 299.685590] binder: 11772:11774 BC_INCREFS_DONE u0000000000000000 node 25 cookie mismatch 0000000000000001 != 0000000000000000 [ 299.697384] binder: 11772:11774 got transaction to context manager from process owning it [ 299.706035] binder: 11772:11774 transaction failed 29201/-22, size 0-0 line 2887 [ 299.742614] binder: release 11772:11774 transaction 26 out, still active [ 299.749562] binder: unexpected work type, 4, not freed [ 299.755014] binder: undelivered TRANSACTION_COMPLETE 00:57:29 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 299.830712] binder: undelivered TRANSACTION_ERROR: 29201 [ 299.836386] binder: send failed reply for transaction 26, target dead [ 299.914181] binder: 11776:11777 BC_INCREFS_DONE u0000000000000000 node 31 cookie mismatch 0000000000000001 != 0000000000000000 [ 299.925911] binder: 11776:11777 got transaction to context manager from process owning it [ 299.934403] binder: 11776:11777 transaction failed 29201/-22, size 0-0 line 2887 [ 299.983320] binder: release 11776:11777 transaction 32 out, still active [ 299.990245] binder: unexpected work type, 4, not freed [ 299.995659] binder: undelivered TRANSACTION_COMPLETE 00:57:30 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 300.083608] binder: undelivered TRANSACTION_ERROR: 29201 [ 300.089213] binder: send failed reply for transaction 32, target dead [ 300.223113] binder: 11779:11780 BC_INCREFS_DONE u0000000000000000 node 37 cookie mismatch 0000000000000001 != 0000000000000000 [ 300.234924] binder: 11779:11780 got transaction to context manager from process owning it [ 300.243517] binder: 11779:11780 transaction failed 29201/-22, size 0-0 line 2887 [ 300.292513] binder: release 11779:11780 transaction 38 out, still active [ 300.299399] binder: unexpected work type, 4, not freed [ 300.304856] binder: undelivered TRANSACTION_COMPLETE 00:57:30 executing program 1: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x40, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) getsockname$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$TUNSETIFINDEX(0xffffffffffffffff, 0x400454da, &(0x7f0000004ac0)) semget(0x1, 0x0, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f00000003c0)='configfs\x00', 0x0, 0x0) r0 = open(&(0x7f0000000000)='./file0\x00', 0x0, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) getdents(r0, &(0x7f00000001c0)=""/239, 0xef) 00:57:30 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 300.375063] binder: undelivered TRANSACTION_ERROR: 29201 [ 300.380681] binder: send failed reply for transaction 38, target dead [ 300.484362] binder: 11783:11784 BC_INCREFS_DONE u0000000000000000 node 43 cookie mismatch 0000000000000001 != 0000000000000000 [ 300.496131] binder: 11783:11784 got transaction to context manager from process owning it [ 300.505197] binder: 11783:11784 transaction failed 29201/-22, size 0-0 line 2887 [ 300.572740] binder: release 11783:11784 transaction 44 out, still active [ 300.579636] binder: unexpected work type, 4, not freed [ 300.585087] binder: undelivered TRANSACTION_COMPLETE 00:57:30 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 300.685052] binder: undelivered TRANSACTION_ERROR: 29201 [ 300.690633] binder: send failed reply for transaction 44, target dead [ 300.839036] binder: 11786:11787 BC_INCREFS_DONE u0000000000000000 node 49 cookie mismatch 0000000000000001 != 0000000000000000 [ 300.850862] binder: 11786:11787 got transaction to context manager from process owning it [ 300.859405] binder: 11786:11787 transaction failed 29201/-22, size 0-0 line 2887 [ 300.903103] binder: release 11786:11787 transaction 50 out, still active [ 300.910070] binder: unexpected work type, 4, not freed [ 300.915498] binder: undelivered TRANSACTION_COMPLETE 00:57:31 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 301.025114] binder: undelivered TRANSACTION_ERROR: 29201 [ 301.030782] binder: send failed reply for transaction 50, target dead [ 301.118069] IPVS: ftp: loaded support on port[0] = 21 [ 301.123571] binder: 11789:11791 BC_INCREFS_DONE u0000000000000000 node 55 cookie mismatch 0000000000000001 != 0000000000000000 [ 301.135340] binder: 11789:11791 got transaction to context manager from process owning it [ 301.143878] binder: 11789:11791 transaction failed 29201/-22, size 0-0 line 2887 [ 301.203564] binder: release 11789:11791 transaction 56 out, still active [ 301.210469] binder: unexpected work type, 4, not freed [ 301.216004] binder: undelivered TRANSACTION_COMPLETE 00:57:31 executing program 0: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 301.307144] chnl_net:caif_netlink_parms(): no params data found [ 301.319484] binder: send failed reply for transaction 56, target dead [ 301.433076] bridge0: port 1(bridge_slave_0) entered blocking state [ 301.439657] bridge0: port 1(bridge_slave_0) entered disabled state [ 301.448175] device bridge_slave_0 entered promiscuous mode [ 301.480218] bridge0: port 2(bridge_slave_1) entered blocking state [ 301.486888] bridge0: port 2(bridge_slave_1) entered disabled state [ 301.496133] device bridge_slave_1 entered promiscuous mode 00:57:31 executing program 0: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 301.620200] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 301.656076] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 301.722971] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 301.731596] team0: Port device team_slave_0 added [ 301.749888] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 301.758566] team0: Port device team_slave_1 added 00:57:31 executing program 0: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 301.773411] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 301.781796] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 301.903151] device hsr_slave_0 entered promiscuous mode [ 302.024085] device hsr_slave_1 entered promiscuous mode 00:57:32 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 302.171909] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 302.193337] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 302.328481] bridge0: port 2(bridge_slave_1) entered blocking state [ 302.335124] bridge0: port 2(bridge_slave_1) entered forwarding state [ 302.342414] bridge0: port 1(bridge_slave_0) entered blocking state [ 302.348937] bridge0: port 1(bridge_slave_0) entered forwarding state [ 302.368724] bridge0: port 1(bridge_slave_0) entered disabled state [ 302.377193] bridge0: port 2(bridge_slave_1) entered disabled state [ 302.385920] binder: 11804:11806 BC_INCREFS_DONE u0000000000000000 no match [ 302.393075] binder: 11804:11806 Acquire 1 refcount change on invalid ref 0 ret -22 00:57:32 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 302.487109] 8021q: adding VLAN 0 to HW filter on device bond0 [ 302.500050] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 302.514188] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 302.520566] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 302.528996] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 302.543705] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 302.549808] 8021q: adding VLAN 0 to HW filter on device team0 [ 302.598705] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 302.605964] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 302.615939] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 302.624278] bridge0: port 1(bridge_slave_0) entered blocking state [ 302.630764] bridge0: port 1(bridge_slave_0) entered forwarding state [ 302.641236] binder: 11807:11809 BC_INCREFS_DONE u0000000000000000 no match [ 302.648534] binder: 11807:11809 Acquire 1 refcount change on invalid ref 0 ret -22 [ 302.657161] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 302.682765] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 302.694828] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 302.703451] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 302.712468] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 302.721011] bridge0: port 2(bridge_slave_1) entered blocking state [ 302.727588] bridge0: port 2(bridge_slave_1) entered forwarding state [ 302.735540] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 302.744908] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready 00:57:32 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 302.787313] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 302.796593] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 302.805834] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 302.841920] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 302.866722] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 302.874706] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 302.883779] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 302.909686] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 302.917837] binder: 11811:11812 BC_INCREFS_DONE u0000000000000000 no match [ 302.925247] binder: 11811:11812 Acquire 1 refcount change on invalid ref 0 ret -22 [ 302.932868] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 302.941503] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 302.965768] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 302.984118] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 302.992704] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 303.017206] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 303.023382] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready 00:57:33 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 303.087251] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 303.134549] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 303.173734] binder_alloc: 11814: binder_alloc_buf, no vma 00:57:33 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:33 executing program 1: r0 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)={0xe, 0x80000000000004, 0x4, 0x1, 0x0, 0x1}, 0x2c) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) bpf$MAP_GET_NEXT_KEY(0x4, &(0x7f0000000080)={r0, 0x0, 0x0}, 0x18) [ 303.447068] binder_alloc: 11821: binder_alloc_buf, no vma 00:57:33 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:33 executing program 1: r0 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)={0xe, 0x80000000000004, 0x4, 0x1, 0x0, 0x1}, 0x2c) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000040)={r0, &(0x7f0000000000), 0x0}, 0x18) [ 303.674663] binder_alloc: 11828: binder_alloc_buf, no vma 00:57:33 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:33 executing program 1: r0 = eventfd2(0xfffffffffffffff9, 0x800) fstatfs(0xffffffffffffffff, 0x0) r1 = dup(r0) openat(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$TIOCSCTTY(0xffffffffffffffff, 0x540e, 0x0) write$P9_RXATTRWALK(r1, &(0x7f0000000000)={0xf, 0x1f, 0x2, 0x1}, 0xf) 00:57:34 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:34 executing program 1: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:34 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 304.204384] binder_transaction: 17 callbacks suppressed [ 304.204420] binder: 11847:11848 transaction failed 29189/-22, size 24-8 line 2896 [ 304.224274] binder_thread_write: 6 callbacks suppressed [ 304.224354] binder: 11844:11845 BC_INCREFS_DONE u0000000000000000 node 91 cookie mismatch 0000000000000001 != 0000000000000000 [ 304.242676] binder_transaction: 6 callbacks suppressed [ 304.242710] binder: 11844:11845 got transaction to context manager from process owning it [ 304.256533] binder: 11844:11845 transaction failed 29201/-22, size 0-0 line 2887 [ 304.283728] binder_release_work: 18 callbacks suppressed [ 304.283744] binder: undelivered TRANSACTION_ERROR: 29189 00:57:34 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:34 executing program 1: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 304.403836] binder: undelivered TRANSACTION_ERROR: 29201 00:57:34 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 304.554632] binder: 11854:11855 BC_INCREFS_DONE u0000000000000000 node 94 cookie mismatch 0000000000000001 != 0000000000000000 [ 304.566405] binder: 11854:11855 got transaction to context manager from process owning it [ 304.574885] binder: 11854:11855 transaction failed 29201/-22, size 0-0 line 2887 00:57:34 executing program 1: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/mixer\x00', 0x80000, 0x0) write$apparmor_exec(r1, &(0x7f0000000080)={'exec ', '\x00'}, 0x6) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x1d4) setsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f0000000000)={0x8080000000}, 0x14) [ 304.673849] binder: undelivered TRANSACTION_ERROR: 29201 00:57:34 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:34 executing program 1: futex(0xfffffffffffffffd, 0x81, 0x40000003, 0x0, 0x0, 0x0) 00:57:35 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:35 executing program 1: rseq(0x0, 0x0, 0x0, 0x0) prctl$PR_GET_PDEATHSIG(0x2, &(0x7f0000000000)) 00:57:35 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:35 executing program 1: r0 = openat$cgroup_type(0xffffffffffffffff, &(0x7f0000000080)='cgroup.type\x00', 0x2, 0x0) r1 = syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0xf905, 0x880) ioctl$sock_inet_SIOCSIFPFLAGS(r1, 0x8934, &(0x7f0000000040)={'tunl0\x00', 0x8001}) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x4080000008031, r0, 0x20000000) getsockopt$sock_cred(0xffffffffffffff9c, 0x1, 0x11, &(0x7f00000000c0)={0x0}, &(0x7f0000000180)=0x3) migrate_pages(r2, 0x7, 0x0, &(0x7f0000000100)) r3 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') sendmsg$IPVS_CMD_DEL_DAEMON(r1, &(0x7f00000003c0)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000380)={&(0x7f0000000200)={0x164, r3, 0x100, 0x70bd26, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_SERVICE={0x50, 0x1, [@IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x3d, 0x9}}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x76}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x1c}, @IPVS_SVC_ATTR_PORT={0x8, 0x4, 0x4e22}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x20, 0x24}}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x7b}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@broadcast}]}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0xaf9}, @IPVS_CMD_ATTR_DEST={0x14, 0x2, [@IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x5}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e23}]}, @IPVS_CMD_ATTR_DAEMON={0x30, 0x3, [@IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @ipv4={[], [], @multicast1}}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e22}]}, @IPVS_CMD_ATTR_DEST={0x48, 0x2, [@IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@rand_addr="c3c118e7c8963ed088257e5dcd285659"}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x1}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x80000001}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x55}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e21}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x7fffffff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}]}, @IPVS_CMD_ATTR_SERVICE={0x5c, 0x1, [@IPVS_SVC_ATTR_AF={0x8, 0x1, 0xa}, @IPVS_SVC_ATTR_PORT={0x8, 0x4, 0x4e23}, @IPVS_SVC_ATTR_TIMEOUT={0x8}, @IPVS_SVC_ATTR_AF={0x8, 0x1, 0x2}, @IPVS_SVC_ATTR_PROTOCOL={0x8, 0x2, 0x87}, @IPVS_SVC_ATTR_AF={0x8, 0x1, 0xa}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x14, 0x2}}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@initdev={0xfe, 0x88, [], 0x0, 0x0}}, @IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'dh\x00'}]}, @IPVS_CMD_ATTR_SERVICE={0x10, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0xc, 0x6, 'lblcr\x00'}]}]}, 0x164}, 0x1, 0x0, 0x0, 0x800}, 0x20000000) 00:57:35 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:35 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:35 executing program 1: socketpair$unix(0x1, 0x8000000000000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) fadvise64(r0, 0x0, 0x9, 0x5) write(r0, &(0x7f0000000080)="f41c85fe036b1e3b5fe5bfc14e77e5e6b819f2804ac51eda2eb9ab3617d643ca9e87f2e864a2fdbc1efb969363e87fa02bc9793d505943b3426c4b2ef947316b56e38c3de36d5fd7e0a2957beaae12b6a5e0b28c7ec78a2b03c7ceda31ae1f00000000000000000000000000000000", 0x6f) r2 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000100)='/dev/qat_adf_ctl\x00', 0x303400, 0x0) ioctl$VIDIOC_ENUMAUDOUT(r2, 0xc0345642, &(0x7f0000000180)={0x10000, "67b914eaea2fcaa019bbebb220ec028b2942fb51701a40ecb754cd820c402b53", 0x3, 0x1}) getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r2, 0x84, 0x13, &(0x7f0000000200)={0x0, 0xe623}, &(0x7f0000000240)=0x8) setsockopt$inet_sctp6_SCTP_CONTEXT(r2, 0x84, 0x11, &(0x7f0000000280)={r3}, 0x8) prctl$PR_MCE_KILL_GET(0x22) write$binfmt_elf64(r0, &(0x7f00000006c0)=ANY=[], 0x286) setsockopt$sock_int(r1, 0x1, 0x2a, &(0x7f00000001c0)=0x1, 0x4) recvmmsg(r1, &(0x7f0000002bc0)=[{{0x0, 0x0, 0x0}}], 0x1, 0x2, 0x0) getresuid(&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380)=0x0) getsockopt$inet_IP_IPSEC_POLICY(r2, 0x0, 0x10, &(0x7f00000003c0)={{{@in6=@dev, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@ipv4={[], [], @multicast1}}, 0x0, @in6=@remote}}, &(0x7f00000004c0)=0xe8) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000500)={0x0, 0x0, 0x0}, &(0x7f0000000540)=0xc) stat(&(0x7f0000000580)='./file0\x00', &(0x7f00000005c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setxattr$system_posix_acl(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='system.posix_acl_access\x00', &(0x7f0000000640)={{}, {}, [{0x2, 0x1, r4}, {0x2, 0x2, r5}], {0x4, 0x7}, [{0x8, 0x1, r6}, {0x8, 0x2, r7}], {0x10, 0x4}, {0x20, 0x1}}, 0x44, 0x0) [ 305.585823] binder_alloc: 11888: binder_alloc_buf, no vma [ 305.591562] binder: 11888:11889 transaction failed 29189/-3, size 24-8 line 3035 [ 305.606535] binder: 11888:11889 BC_INCREFS_DONE u0000000000000000 node 97 cookie mismatch 0000000000000001 != 0000000000000000 [ 305.618398] binder: 11888:11889 got transaction to context manager from process owning it [ 305.626862] binder: 11888:11889 transaction failed 29201/-22, size 0-0 line 2887 [ 305.637061] binder: undelivered TRANSACTION_ERROR: 29189 [ 305.644402] binder: undelivered TRANSACTION_ERROR: 29201 00:57:35 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:35 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) io_setup(0x8, &(0x7f0000000040)=0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f00000000c0)={0x0, 0x20, &(0x7f0000000000)=[@in={0x2, 0x0, @local}, @in={0x2, 0x0, @loopback}]}, &(0x7f0000000100)=0x10) socket$inet_udplite(0x2, 0x2, 0x88) io_submit(r1, 0x12f, &(0x7f00000000c0)=[&(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x0, r0, &(0x7f0000001000)}]) [ 305.762297] binder_alloc: 11894: binder_alloc_buf, no vma [ 305.767967] binder: 11894:11895 transaction failed 29189/-3, size 24-8 line 3035 [ 305.843877] binder: 11894:11895 BC_INCREFS_DONE u0000000000000000 node 101 cookie mismatch 0000000000000001 != 0000000000000000 [ 305.855781] binder: 11894:11895 got transaction to context manager from process owning it [ 305.864277] binder: 11894:11895 transaction failed 29201/-22, size 0-0 line 2887 [ 305.873668] binder: undelivered TRANSACTION_ERROR: 29189 [ 305.881287] binder: undelivered TRANSACTION_ERROR: 29201 00:57:35 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 306.017000] binder_alloc: 11903: binder_alloc_buf, no vma [ 306.022791] binder: 11903:11904 transaction failed 29189/-3, size 24-8 line 3035 [ 306.048959] binder: 11903:11904 BC_INCREFS_DONE u0000000000000000 node 105 cookie mismatch 0000000000000001 != 0000000000000000 00:57:36 executing program 1: socketpair$unix(0x1, 0x100000000005, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/net/pfkey\x00', 0x2, 0x0) ioctl$TUNSETTXFILTER(r1, 0x400454d1, &(0x7f0000000080)={0x0, 0x7, [@empty, @local, @link_local, @local, @local, @local, @random="6f8c5b00da4d"]}) r2 = openat$apparmor_thread_current(0xffffffffffffff9c, &(0x7f00000002c0)='/proc/thread-self/attr/current\x00', 0x2, 0x0) write$apparmor_current(r2, &(0x7f0000000000)=@profile={'permprofile ', '%\"//em0ppp1vboxnet0-user\x00'}, 0x25) [ 306.060972] binder: 11903:11904 got transaction to context manager from process owning it [ 306.069494] binder: 11903:11904 transaction failed 29201/-22, size 0-0 line 2887 [ 306.135613] binder: undelivered TRANSACTION_ERROR: 29189 [ 306.148106] binder: undelivered TRANSACTION_ERROR: 29201 [ 306.154984] kauditd_printk_skb: 3 callbacks suppressed [ 306.155017] audit: type=1400 audit(1551488256.205:31): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="unconfined" name=25222F2F656D307070703176626F786E6574302D75736572 pid=11906 comm="syz-executor.1" 00:57:36 executing program 1: socketpair$unix(0x1, 0x1000000000000003, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0x1, 0x3, &(0x7f0000000040)=ANY=[@ANYBLOB="b40000f2ff000000ad000018109c00000000009500ca0b1021e2a821ce0db65ef7967500"], &(0x7f0000000080)='GPL\x04\x9c5\x14\xbfw-\xa0z\xe8.vY\n6\xf6I>\xc1\xab\x91\xb3\x97\xe4*\xbf\x1e\xa6\xcd\x8c\xd7t\'\xfc\x9a\x9e+qe\xf5+A\a\xbf\bP\xd8\x99\xdcR\xd0\x13\x17]\xdb\x1b/F <*\x05\xb7\"\xe3>Uo\xb2\xe3\xf3\x9a<\xde\x1f\xcaSd\x037\xec\x95aF\xbd\xbf\xcb\x11Pp\x19V1\xde]!\xa5\xea\x9ec\x8c+\xdbx\xa5\x01\xcaKn\xa3\x13\xd8%h\xf98,,?o\xab\xa6\xb4\xeeTy;N\xd2m\xae>R\"P)\xbb*\xc0\x00\x7fwuL?#\xce\xda\x98\t\xb9\xa9hJ\x94\n\xbc\xaa\x8c\xfc\xc7\x13>\xc4\"\xe9\xc88\x881\x8dA\xe9\xa4\x93\xf0\x19_\xe2Y\x96Q\xb8\x95\x04\xf5\xdb\xa1F%\xce#f\xf3=\x95\xdb\xa9/\x86ry\xca\xbfJ\xce\xdd\xc8Z\x8a\xf7\xa0\xfah\xd7g\xceQ6\xb9\xd0\xd1\x96lI\x9c\xb6\xbf4\xc2\x98\x86f\x97\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00', 0x0, 0x0, 0x0, 0x0, 0x1}, 0x48) 00:57:36 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 306.338338] binder_alloc: 11913: binder_alloc_buf, no vma [ 306.344218] binder: 11913:11914 transaction failed 29189/-3, size 24-8 line 3035 [ 306.406113] binder: 11913:11914 BC_INCREFS_DONE u0000000000000000 node 109 cookie mismatch 0000000000000001 != 0000000000000000 [ 306.418037] binder: 11913:11914 got transaction to context manager from process owning it 00:57:36 executing program 1: r0 = syz_open_dev$evdev(&(0x7f0000000500)='/dev/input/event#\x00', 0x0, 0x0) r1 = epoll_create(0x100004) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f0000000040)) r2 = syz_open_dev$video(&(0x7f0000000080)='/dev/video#\x00', 0xdd, 0x101000) ioctl$TIOCSBRK(r0, 0x40044591) epoll_wait(r1, &(0x7f0000000000)=[{}], 0x1, 0x0) ioctl$VIDIOC_ENUM_DV_TIMINGS(r2, 0xc0945662, &(0x7f00000000c0)={0x8, 0x0, [], {0x0, @bt={0xffffffffffffffe0, 0x10001, 0x0, 0x1, 0x0, 0x5a, 0x1ff, 0x7, 0x400, 0x1, 0x4, 0x5, 0x4e, 0xffffffff, 0x14, 0x22}}}) [ 306.450884] binder: undelivered TRANSACTION_ERROR: 29201 00:57:36 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 306.621793] binder_alloc: 11922: binder_alloc_buf, no vma [ 306.629755] binder: 11922:11923 BC_INCREFS_DONE u0000000000000000 node 113 cookie mismatch 0000000000000001 != 0000000000000000 [ 306.641711] binder: 11922:11923 got transaction to context manager from process owning it 00:57:36 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:36 executing program 1: r0 = syz_open_dev$sg(&(0x7f0000000040)='/dev/sg#\x00', 0x0, 0x2) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000280)='/dev/null\x00', 0x1, 0x0) ioctl$EVIOCGBITKEY(r1, 0x80404521, &(0x7f0000000780)=""/197) ioctl$SG_IO(r0, 0x2285, &(0x7f0000000500)={0x53, 0x0, 0x70, 0x8001, @scatter={0x4, 0x0, &(0x7f0000000340)=[{&(0x7f0000000080)=""/96, 0x60}, {&(0x7f0000000100)=""/163, 0xa3}, {0xffffffffffffffff}, {&(0x7f00000001c0)=""/134, 0x86}]}, &(0x7f00000003c0)="9895b5fbd71afcf5e1cbd5b11aaa7a1952a87c589e8825f2a9a5ed274957825b5a3f132e82135bb834a7ed3bf6826d183179d553d82a9b0d060d92548099693b287d9aaf65b4ee1831e8741fe2b5d96c8aefa078e10b0c616ca1e9820c260243eaa0d0fd2bd165aa0e56661485b8ddf5", &(0x7f0000000000)=""/19, 0x5, 0x2, 0x3, &(0x7f00000004c0)}) write$binfmt_aout(r0, &(0x7f00000002c0)=ANY=[@ANYBLOB="00000000000020000000000000000000c55e0c2117f8584f99a89c7b3e947c00000000000004000000000000000000"], 0x20) openat$rfkill(0xffffffffffffff9c, &(0x7f0000000300)='/dev/rfkill\x00', 0x3fffff, 0x0) [ 306.799896] sd 0:0:1:0: [sg0] tag#4745 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK [ 306.808829] sd 0:0:1:0: [sg0] tag#4745 CDB: opcode=0x98 [ 306.814366] sd 0:0:1:0: [sg0] tag#4745 CDB[00]: 98 95 b5 fb d7 1a fc f5 e1 cb d5 b1 1a aa 7a 19 [ 306.823341] sd 0:0:1:0: [sg0] tag#4745 CDB[10]: 52 a8 7c 58 9e 88 25 f2 a9 a5 ed 27 49 57 82 5b [ 306.832348] sd 0:0:1:0: [sg0] tag#4745 CDB[20]: 5a 3f 13 2e 82 13 5b b8 34 a7 ed 3b f6 82 6d 18 [ 306.841264] sd 0:0:1:0: [sg0] tag#4745 CDB[30]: 31 79 d5 53 d8 2a 9b 0d 06 0d 92 54 80 99 69 3b [ 306.849286] binder: 11926:11930 BC_INCREFS_DONE u0000000000000000 no match [ 306.850254] sd 0:0:1:0: [sg0] tag#4745 CDB[40]: 28 7d 9a af 65 b4 ee 18 31 e8 74 1f e2 b5 d9 6c [ 306.857391] binder: 11926:11930 Acquire 1 refcount change on invalid ref 0 ret -22 [ 306.866261] sd 0:0:1:0: [sg0] tag#4745 CDB[50]: 8a ef a0 78 e1 0b 0c 61 6c a1 e9 82 0c 26 02 43 [ 306.883012] sd 0:0:1:0: [sg0] tag#4745 CDB[60]: ea a0 d0 fd 2b d1 65 aa 0e 56 66 14 85 b8 dd f5 [ 306.896047] sd 0:0:1:0: [sg0] tag#4746 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK [ 306.904856] sd 0:0:1:0: [sg0] tag#4746 CDB: opcode=0x98 [ 306.910333] sd 0:0:1:0: [sg0] tag#4746 CDB[00]: 98 95 b5 fb d7 1a fc f5 e1 cb d5 b1 1a aa 7a 19 [ 306.919335] sd 0:0:1:0: [sg0] tag#4746 CDB[10]: 52 a8 7c 58 9e 88 25 f2 a9 a5 ed 27 49 57 82 5b [ 306.928322] sd 0:0:1:0: [sg0] tag#4746 CDB[20]: 5a 3f 13 2e 82 13 5b b8 34 a7 ed 3b f6 82 6d 18 [ 306.937261] sd 0:0:1:0: [sg0] tag#4746 CDB[30]: 31 79 d5 53 d8 2a 9b 0d 06 0d 92 54 80 99 69 3b 00:57:37 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:37 executing program 1: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0a5c1f023c126285719070") r1 = socket$alg(0x26, 0x5, 0x0) bind$alg(r1, &(0x7f0000000100)={0x26, 'hash\x00', 0x0, 0x0, 'wp512-generic\x00'}, 0x58) r2 = accept$alg(r1, 0x0, 0x0) r3 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000080)='/dev/btrfs-control\x00', 0x101000, 0x0) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(0xffffffffffffff9c, 0x84, 0x6, &(0x7f0000000180)={0x0, @in6={{0xa, 0x4e24, 0x10001, @local, 0x61}}}, &(0x7f00000000c0)=0x84) setsockopt$inet_sctp6_SCTP_AUTH_DEACTIVATE_KEY(r3, 0x84, 0x23, &(0x7f0000000280)={r4, 0x56}, 0x8) openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000040)='/\x02roup.stap\x00', 0x2761, 0x0) r5 = openat$cgroup_int(0xffffffffffffffff, &(0x7f0000000040), 0x2, 0x0) mlock(&(0x7f0000ffc000/0x3000)=nil, 0x3000) write$cgroup_int(r5, &(0x7f00000002c0), 0xfefe) sendfile(r2, r5, &(0x7f0000000240), 0xce78) [ 306.946210] sd 0:0:1:0: [sg0] tag#4746 CDB[40]: 28 7d 9a af 65 b4 ee 18 31 e8 74 1f e2 b5 d9 6c [ 306.955151] sd 0:0:1:0: [sg0] tag#4746 CDB[50]: 8a ef a0 78 e1 0b 0c 61 6c a1 e9 82 0c 26 02 43 [ 306.964097] sd 0:0:1:0: [sg0] tag#4746 CDB[60]: ea a0 d0 fd 2b d1 65 aa 0e 56 66 14 85 b8 dd f5 [ 307.074346] binder: 11933:11936 BC_INCREFS_DONE u0000000000000000 no match [ 307.081548] binder: 11933:11936 Acquire 1 refcount change on invalid ref 0 ret -22 00:57:37 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 307.268936] binder: 11939:11940 BC_INCREFS_DONE u0000000000000000 no match [ 307.276210] binder: 11939:11940 Acquire 1 refcount change on invalid ref 0 ret -22 00:57:37 executing program 1: mkdir(&(0x7f0000578000)='./file0\x00', 0x0) lsetxattr(&(0x7f0000000080)='./file0\x00', &(0x7f00000001c0)=@known='security.selinux\x00', &(0x7f0000000240), 0xfe5f, 0x0) r0 = dup(0xffffffffffffffff) ioctl$CAPI_REGISTER(r0, 0x400c4301, &(0x7f0000000040)={0x9, 0x8, 0x7f}) openat$pfkey(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/self/net/pfkey\x00', 0x40, 0x0) rmdir(&(0x7f0000000000)='./file0\x00') 00:57:37 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:37 executing program 1: r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000100)='/dev/autofs\x00', 0x0, 0x0) write$P9_RSTATu(r0, &(0x7f0000000380)=ANY=[], 0xffffffffffffff6a) openat$sequencer(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer\x00', 0x0, 0x0) ioctl$SIOCSIFMTU(0xffffffffffffffff, 0x8922, &(0x7f00000003c0)={'team0\x00'}) r1 = add_key$user(&(0x7f0000000280)='user\x00', &(0x7f0000000000)={'syz'}, &(0x7f0000000240)='X', 0x1, 0xfffffffffffffffe) r2 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f00000005c0)={'syz'}, &(0x7f00000000c0), 0x390, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000080)={r1, r2, r2}, &(0x7f0000000140)=""/83, 0x53, &(0x7f00000001c0)={&(0x7f0000000040)={'crct10dif\x00'}, &(0x7f00000001c0)}) [ 307.523151] binder: 11947:11948 BC_INCREFS_DONE u0000000000000000 no match [ 307.530396] binder: 11947:11948 Acquire 1 refcount change on invalid ref 0 ret -22 00:57:37 executing program 0: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 307.712858] binder: 11953:11954 BC_INCREFS_DONE u0000000000000000 node 126 cookie mismatch 0000000000000001 != 0000000000000000 [ 307.724754] binder: 11953:11954 got transaction to context manager from process owning it 00:57:37 executing program 0: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:37 executing program 1: r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000100)='/dev/autofs\x00', 0x0, 0x0) write$P9_RSTATu(r0, &(0x7f0000000380)=ANY=[], 0xffffffffffffff6a) openat$sequencer(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer\x00', 0x0, 0x0) ioctl$SIOCSIFMTU(0xffffffffffffffff, 0x8922, &(0x7f00000003c0)={'team0\x00'}) r1 = add_key$user(&(0x7f0000000280)='user\x00', &(0x7f0000000000)={'syz'}, &(0x7f0000000240)='X', 0x1, 0xfffffffffffffffe) r2 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f00000005c0)={'syz'}, &(0x7f00000000c0), 0x390, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000080)={r1, r2, r2}, &(0x7f0000000140)=""/83, 0x53, &(0x7f00000001c0)={&(0x7f0000000040)={'crct10dif\x00'}, &(0x7f00000001c0)}) [ 307.955353] binder: 11960:11961 BC_INCREFS_DONE u0000000000000000 node 129 cookie mismatch 0000000000000001 != 0000000000000000 [ 307.967266] binder: 11960:11961 got transaction to context manager from process owning it 00:57:38 executing program 1: r0 = syz_open_dev$sg(&(0x7f0000000300)='/dev/sg#\x00', 0x0, 0x2) ioctl$SG_IO(r0, 0x2285, 0x0) write$binfmt_script(r0, &(0x7f0000000440)=ANY=[@ANYBLOB="2321202e2f66696c65300a96de86d81aacdb3ba584580de2bfff37e108270010dfd5e3fb5cabab678bd9cf0b8b1c"], 0x2e) write$binfmt_script(r0, &(0x7f00000008c0)=ANY=[@ANYBLOB="2321202e2f66697374656d5b730200696e75787d6c3177ee76440ad2dedc6f5d20026465762f616d6900000000000000"], 0x30) r1 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/qat_adf_ctl\x00', 0x40000, 0x0) r2 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_MEDIA_NAMES(r1, &(0x7f0000000180)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x1c, r2, 0x500, 0x70bd25, 0x25dfdbfd, {}, [""]}, 0x1c}, 0x1, 0x0, 0x0, 0x20004050}, 0x4004000) write$binfmt_script(r1, &(0x7f00000001c0)={'#! ', './file0', [{0x20, 'eth0'}, {0x20, 'eth0'}, {0x20, 'vmnet0lo'}, {0x20, '/dev/sg#\x00'}, {0x20, 'cgroup'}], 0xa, "fba8e7f685a8d0edacfbdad6fe8b9cd0952be9b888e2af44ce2a24c24c8b897dc34a65ba581f11f2213e5b36aec09f09057f175551c79373204bcdcd5751930ebbe85a7416e26c55415fcb3613"}, 0x7c) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000300)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) write$binfmt_script(r0, &(0x7f0000000000)={'#! ', './file0', [{0x20, 'eth0'}, {0x20, '#! '}, {0x20, '${'}, {0x20, '/dev/sg#\x00'}, {0x20, '#! '}], 0xa, "00fbdd695d"}, 0x2a) write$binfmt_elf32(r0, &(0x7f00000004c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38}, [{}]}, 0x58) 00:57:38 executing program 0: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:38 executing program 1: unshare(0x22060503) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/kvm\x00', 0x0, 0x0) setrlimit(0x6, &(0x7f0000000100)) r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x800, 0x0) write$FUSE_WRITE(r1, &(0x7f0000000040)={0x18, 0xffffffffffffffda, 0x1, {0x10000}}, 0x18) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$PIO_UNIMAP(r1, 0x4b67, &(0x7f00000000c0)={0x3, &(0x7f0000000080)=[{0xce, 0x51}, {0x954, 0x8}, {0x40, 0x3e49}]}) [ 308.184753] binder: 11966:11967 BC_INCREFS_DONE u0000000000000000 node 132 cookie mismatch 0000000000000001 != 0000000000000000 [ 308.196730] binder: 11966:11967 got transaction to context manager from process owning it 00:57:38 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 308.273290] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 308.385986] binder: 11973:11974 ioctl c0306201 0 returned -14 00:57:38 executing program 1: r0 = add_key$user(&(0x7f00000000c0)='user\x00', &(0x7f0000000240)={'syz'}, &(0x7f0000000680)="585ccbe4ed83b836c1a6474914dc55e72206297b6895b66147b3c7218a9169a85ea0bdc9e1587a050000000000000042e33089754c8107c3cd3923dd4a71c2ff06007b6b4816122d2550829eaa9435c99926022b8753a188748c569f435fb3bae96efb74b50ec93cb0725be6027d152f5e8e198a29e5c0d0c60000ce0637ce0000b4ec24c53d3d661ff5ff70e48884ca000018cea71fcfacf40d32e4b58a8d2725561f6110fd7b06f90b5274cc5c1e298a16324fe27da2a9d5ba9ff3c009d308", 0xc0, 0xfffffffffffffffe) r1 = openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/snapshot\x00', 0x40, 0x0) openat$cgroup_ro(r1, &(0x7f0000000300)='cpuacct.usage_user\x00', 0x0, 0x0) r2 = add_key(&(0x7f0000000000)='encrypted\x00', &(0x7f0000000140)={'syz', 0x1}, &(0x7f0000000280)="22c571aea326d494a7fe691313cffb002f875189fdb07fe6e5", 0x19, 0xfffffffffffffffc) r3 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f00000005c0)={'syz'}, &(0x7f0000000100)='\x00', 0x1, r2) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) keyctl$dh_compute(0x17, &(0x7f0000000080)={r3, r0, r3}, &(0x7f0000000440)=""/243, 0xf3, &(0x7f0000000180)={&(0x7f00000001c0)={'crc32c-generic\x00'}, &(0x7f0000000040)="68d6e1c687d4b258cb2360", 0xb}) 00:57:38 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 308.530630] encrypted_key: insufficient parameters specified [ 308.543678] encrypted_key: insufficient parameters specified 00:57:38 executing program 2: r0 = syz_open_dev$media(&(0x7f0000000000)='/dev/media#\x00', 0x7fffffff, 0x0) ioctl$VIDIOC_ENUMAUDIO(r0, 0xc0345641, &(0x7f0000000040)={0x9, "a449ad83b6d165550e18503e2f75d6fe976e64041d4ff79cddccee89c60d9e76", 0x2, 0x1}) r1 = msgget$private(0x0, 0x30) msgctl$MSG_STAT(r1, 0xb, &(0x7f0000000080)=""/105) ioctl$TIOCSWINSZ(r0, 0x5414, &(0x7f0000000100)={0xfffffffffffffffd, 0x5, 0x1, 0x4}) fstatfs(r0, &(0x7f0000000140)=""/4096) setns(r0, 0x0) write$P9_RAUTH(r0, &(0x7f0000001140)={0x14, 0x67, 0x1, {0x2, 0x4, 0x7}}, 0x14) ioctl$KVM_GET_PIT2(r0, 0x8070ae9f, &(0x7f0000001180)) stat(&(0x7f0000001240)='./file0\x00', &(0x7f0000001280)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000001300), &(0x7f0000001340), &(0x7f0000001380)=0x0) chown(&(0x7f0000001200)='./file0\x00', r2, r3) sysinfo(&(0x7f00000013c0)) ioctl$sock_SIOCADDDLCI(r0, 0x8980, &(0x7f0000001400)={'syzkaller0\x00', 0x80}) setsockopt$inet_tcp_TCP_QUEUE_SEQ(r0, 0x6, 0x15, &(0x7f0000001440)=0x9, 0x4) ioctl$FS_IOC_GETFSLABEL(r0, 0x81009431, &(0x7f0000001480)) getsockopt$sock_linger(r0, 0x1, 0xd, &(0x7f0000001580), &(0x7f00000015c0)=0x8) link(&(0x7f0000001600)='./file0\x00', &(0x7f0000001640)='./file0\x00') ioctl$KVM_UNREGISTER_COALESCED_MMIO(r0, 0x4010ae68, &(0x7f0000001680)={0xeb1ddfb41a24e443, 0x8000}) getsockopt$inet_sctp_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f0000001740)=@assoc_value={0x0}, &(0x7f0000001780)=0x8) setsockopt$inet_sctp6_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x5, &(0x7f00000017c0)={r4, @in={{0x2, 0x4e21, @rand_addr=0xfffffffffffffd7e}}}, 0x84) getsockopt$inet_sctp6_SCTP_NODELAY(r0, 0x84, 0x3, &(0x7f0000001880), &(0x7f00000018c0)=0x4) setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000001900)={@in={{0x2, 0x4e22, @local}}, 0x0, 0x7fff, 0x0, "84817f013279d338564844ad9740d58086c0966717714c6cc3f92de4aed5a88ea66e0011c8deebe7468edbee981d1d952363d771ee1f47f3b0cdef7eb8ac06862ea1d74321036551ec8ff885a01b358d"}, 0xd8) setsockopt$XDP_UMEM_COMPLETION_RING(r0, 0x11b, 0x6, &(0x7f0000001a00)=0x2, 0x4) fstat(r0, &(0x7f0000001a40)) ioctl$FS_IOC_FIEMAP(r0, 0xc020660b, &(0x7f0000001ac0)={0x2, 0x3, 0x6, 0x8, 0x3, [{0x9, 0x1, 0x200, 0x0, 0x0, 0x1}, {0x7fff, 0x0, 0x135b, 0x0, 0x0, 0xd}, {0x2, 0x200, 0xd63, 0x0, 0x0, 0x882}]}) ioctl$SNDRV_CTL_IOCTL_HWDEP_INFO(r0, 0x80dc5521, &(0x7f0000001bc0)=""/123) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_genetlink_get_family_id$team(&(0x7f0000001c40)='team\x00') ioctl$SNDRV_CTL_IOCTL_ELEM_WRITE(r0, 0xc4c85513, &(0x7f0000001c80)={{0x5, 0x7, 0xa31, 0x868, 'syz0\x00', 0x47f}, 0x0, [0x7, 0x6, 0x5, 0x4, 0xed, 0x8000, 0x8, 0x0, 0x752, 0x2, 0x88, 0x100, 0x10001, 0xd138, 0x2, 0x4, 0x4, 0x4, 0x5, 0x7fff, 0xffff, 0x2, 0xb1, 0x4, 0x3, 0x7e, 0x100000001, 0x98, 0x9, 0xffff, 0x7, 0x8, 0x6, 0x3, 0x8, 0x9, 0xab0, 0x37, 0xfffffffffffffff7, 0x5, 0x6f, 0x6, 0xfffffffffffffff7, 0x8, 0x100, 0x80000001, 0xc8a, 0x80, 0x5, 0x4, 0x1f, 0x9, 0xfffffffffffff9c7, 0x0, 0x4, 0x3, 0x2766f445, 0x1, 0x65ea, 0x7fff, 0x0, 0x2, 0x3, 0x1, 0x200, 0x80000001, 0x666a, 0xe4b, 0x8, 0x5bd5, 0x6, 0xfffffffffffffbff, 0x4, 0x5, 0xad, 0x9, 0x100, 0x4, 0x80, 0x5, 0x99c, 0x0, 0xffff, 0x20, 0xffffffffffff021c, 0xf50, 0xd63, 0x20, 0x81, 0x0, 0x19596b27, 0x400000000000000, 0x4, 0x800, 0x9, 0x1ff, 0x5, 0x6, 0x53d, 0x1f, 0xd9bd, 0x6, 0x1, 0x3, 0x5a1, 0x7, 0x276, 0xfff, 0x9, 0x8, 0x40, 0x9, 0x8, 0x1, 0x0, 0x1, 0x3e, 0x0, 0x401, 0xfffffffffffffe00, 0x7, 0x6, 0x6c0000000000000, 0xffff, 0x3, 0x6, 0xfffffffffffffff9, 0x9]}) [ 308.594398] binder: 11980:11981 ioctl c0306201 0 returned -14 00:57:38 executing program 1: membarrier(0x2, 0x0) r0 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x400, 0x0) ioctl$KDSKBMETA(r0, 0x4b63, &(0x7f0000000080)=0x9b) ioctl$TIOCLINUX6(r0, 0x541c, &(0x7f0000000040)={0x6, 0x4}) 00:57:38 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:38 executing program 1: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet(0x10, 0x3, 0x10) openat$snapshot(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/snapshot\x00', 0x80000, 0x0) sendmsg(r1, &(0x7f0000011fc8)={0x0, 0x0, &(0x7f0000009ff0)=[{&(0x7f0000000000)="240000000c0607031dfffd946fa2830020200a0009000100061d85680c1baba20400ff7e28000000110affffba010000000009b356da5a80d18be34c8546c8243929db2406b20cd37ed01cc0", 0x4c}], 0x1}, 0x0) [ 308.883948] binder: 11988:11989 ioctl c0306201 0 returned -14 00:57:39 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:39 executing program 1: r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vga_arbiter\x00', 0x10000007ff, 0x0) ioctl$VIDIOC_TRY_EXT_CTRLS(r0, 0xc0205649, &(0x7f0000000240)={0x9a0000, 0x7, 0x80000000, [], &(0x7f0000000200)={0x9909d2, 0x1ff, [], @string=&(0x7f00000001c0)=0x6}}) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x40041, 0x0) setsockopt$inet6_tcp_int(r1, 0x6, 0x3f, &(0x7f00000000c0), 0x4) mprotect(&(0x7f0000013000/0x1000)=nil, 0x1000, 0x0) flistxattr(r1, &(0x7f0000000180)=""/47, 0x2f) r2 = syz_open_dev$dri(&(0x7f0000000100)='/dev/dri/card#\x00', 0x400, 0x20000000000000) ioctl$PPPIOCSNPMODE(r0, 0x4008744b, &(0x7f0000000000)={0xc2a1, 0x2}) ioctl$BLKFRASET(r0, 0x1264, &(0x7f0000000140)=0x1) socketpair$unix(0x1, 0x6, 0x0, &(0x7f0000000280)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$MAP_CREATE(0x0, &(0x7f0000000080)={0x0, 0x0, 0x7}, 0xfffffffffffffff1) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) getsockopt$XDP_STATISTICS(r0, 0x11b, 0x7, &(0x7f0000000340), &(0x7f0000000380)=0x18) inotify_init1(0x1000000080800) r4 = fcntl$getown(r3, 0x9) syz_open_procfs$namespace(r4, &(0x7f00000002c0)='ns/cgroup\x00') ioctl(r2, 0xffffffffffffffb0, &(0x7f0000000080)) 00:57:39 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 309.364672] binder_thread_write: 4 callbacks suppressed [ 309.364722] binder: 12000:12002 BC_INCREFS_DONE u0000000000000000 node 147 cookie mismatch 0000000000000001 != 0000000000000000 [ 309.382362] binder_transaction: 4 callbacks suppressed [ 309.382385] binder: 12000:12002 got transaction to context manager from process owning it [ 309.396116] binder_transaction: 18 callbacks suppressed [ 309.396152] binder: 12000:12002 transaction failed 29201/-22, size 0-0 line 2887 00:57:39 executing program 1: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) close(r0) socket$inet6_sctp(0xa, 0x1, 0x84) io_submit(0x0, 0x0, &(0x7f0000000600)) [ 309.487863] IPVS: ftp: loaded support on port[0] = 21 00:57:39 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 309.554857] binder_release_work: 18 callbacks suppressed [ 309.554873] binder: undelivered TRANSACTION_ERROR: 29201 00:57:39 executing program 1: r0 = socket$inet(0x10, 0x2, 0x0) sendmsg(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000440)="240000001e0007041dfffd946f6105005e0000001f000000000008000800a3a20400ff7e", 0x24}], 0x1}, 0x0) socket$nl_route(0x10, 0x3, 0x0) [ 309.663188] binder: 12009:12010 BC_INCREFS_DONE u0000000000000000 node 150 cookie mismatch 0000000000000001 != 0000000000000000 [ 309.675040] binder: 12009:12010 got transaction to context manager from process owning it [ 309.683518] binder: 12009:12010 transaction failed 29201/-22, size 0-0 line 2887 00:57:39 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 309.814202] chnl_net:caif_netlink_parms(): no params data found [ 309.817364] binder: undelivered TRANSACTION_ERROR: 29201 00:57:40 executing program 1: r0 = socket$inet(0x10, 0x3, 0xc) sendmsg(r0, &(0x7f000001d000)={0x0, 0x0, &(0x7f0000024000)=[{&(0x7f0000000100)="24000000100007031dff22946fa2830020200a0009000300001d85687f0000000400ff7e28000000050a43ba5d806055b6fdd80b40000000140008000029ec2400020cd37e99d69cda45a95e", 0x4c}], 0x1}, 0x0) getsockopt$inet_sctp_SCTP_RECVRCVINFO(r0, 0x84, 0x20, &(0x7f0000000000), &(0x7f0000000040)=0x4) [ 309.939061] bridge0: port 1(bridge_slave_0) entered blocking state [ 309.945739] bridge0: port 1(bridge_slave_0) entered disabled state [ 309.954259] device bridge_slave_0 entered promiscuous mode [ 309.967413] binder: 12017:12018 BC_INCREFS_DONE u0000000000000000 node 153 cookie mismatch 0000000000000001 != 0000000000000000 [ 309.979301] binder: 12017:12018 got transaction to context manager from process owning it [ 309.987795] binder: 12017:12018 transaction failed 29201/-22, size 0-0 line 2887 [ 309.997466] bridge0: port 2(bridge_slave_1) entered blocking state [ 310.004213] bridge0: port 2(bridge_slave_1) entered disabled state [ 310.012612] device bridge_slave_1 entered promiscuous mode [ 310.081961] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 310.094045] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 310.165397] binder: undelivered TRANSACTION_ERROR: 29201 [ 310.226615] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 310.235645] team0: Port device team_slave_0 added [ 310.264142] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 310.272966] team0: Port device team_slave_1 added [ 310.295507] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 310.316228] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 310.447196] device hsr_slave_0 entered promiscuous mode [ 310.583022] device hsr_slave_1 entered promiscuous mode [ 310.843867] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 310.851488] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 310.897721] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 310.987703] 8021q: adding VLAN 0 to HW filter on device bond0 [ 311.004371] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 311.019049] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 311.026054] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 311.033987] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 311.054230] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 311.060335] 8021q: adding VLAN 0 to HW filter on device team0 [ 311.077998] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 311.086601] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 311.095534] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 311.104038] bridge0: port 1(bridge_slave_0) entered blocking state [ 311.110531] bridge0: port 1(bridge_slave_0) entered forwarding state [ 311.127717] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 311.141810] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 311.151028] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 311.159194] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 311.168112] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 311.176893] bridge0: port 2(bridge_slave_1) entered blocking state [ 311.183469] bridge0: port 2(bridge_slave_1) entered forwarding state [ 311.191316] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 311.213391] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 311.220930] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 311.242898] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 311.251088] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 311.260535] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 311.277789] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 311.291838] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 311.299316] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 311.307832] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 311.317117] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 311.326475] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 311.335025] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 311.351705] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 311.361292] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 311.373249] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 311.379336] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 311.390069] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 311.398742] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 311.428090] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 311.455701] 8021q: adding VLAN 0 to HW filter on device batadv0 00:57:41 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:41 executing program 1: socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000004c0)={0xffffffffffffffff, 0xffffffffffffffff}) write$binfmt_aout(r0, &(0x7f0000000900)=ANY=[@ANYBLOB="07f5000196e8508f7f029b2c866d11847b4e26ff42a8b506e0b2d409fac929a82c7f718212383e294f0eaac439444b43cb9f889f66466e339080ed612f88ac7308dc9867a37479ff25e376826fc1e27568a705a1a988e73784e56012b4358f4bb9ce000000000000e423a2ea0237dd1568ebe5f54ebd7d0a3e5dc905e4a1e0f58f9dd3e58ec4d5f86c9203d9dee11749f5e6f3446c2649f8fa18b28586455e4aad710d4d3ee3ee16b7c0db76c5d3ccdc78bb1a7a5a8b4b28c6155987f950e821dfee81838da097d997e61a298cbde6de191adc658cf6afc5969fd3f7caea6ccd27c080180d5fda5e586224dc2715950f6c3bb6bfc69b640aaaa66124a91babff76f7627d6cd7f90484ad695db6a291cd464b4928d45261d6ea464a84d6a2159c8ab713517ccc9f410070d3996c1bc025ea1724cf4723117d3b408311fc851de9aa1deec37199690e591026516e015ffb91a5981e0f68f2fc6bfbeece1ca9dc8801092d14e21e9cbf08befe26bb044a3ceffdd0ec11a3afed8d7da681809a714346e2e86cdb513eefa8db78cbdd957025bb690547ffae8b6060ec534556c3f0b25bb5ff4fb765"], 0x1) r2 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x2) ioctl$KVM_RUN(r2, 0xae80, 0x0) setsockopt$sock_int(r1, 0x1, 0x2a, &(0x7f0000000000)=0x2020000, 0x4) recvmsg(r1, &(0x7f0000005f40)={0x0, 0x0, 0x0}, 0x2) shutdown(r0, 0x1) r3 = syz_open_dev$adsp(&(0x7f00000000c0)='/dev/adsp#\x00', 0xffff, 0x410000) setsockopt$RXRPC_SECURITY_KEYRING(r3, 0x110, 0x2, &(0x7f0000000100)='\x00', 0x1) recvmsg(r3, &(0x7f00000008c0)={&(0x7f0000000040)=@vsock={0x28, 0x0, 0x0, @my}, 0x80, &(0x7f0000000780)=[{&(0x7f0000000240)=""/215, 0xd7}, {&(0x7f0000000340)=""/31, 0x1f}, {&(0x7f0000000380)=""/176, 0xb0}, {&(0x7f0000000500)=""/202, 0xca}, {&(0x7f0000000440)}, {&(0x7f0000000480)}, {&(0x7f0000000600)=""/77, 0x4d}, {&(0x7f0000000680)=""/72, 0x48}, {&(0x7f0000000700)=""/70, 0x46}], 0x9, &(0x7f0000000840)=""/111, 0x6f}, 0x10040) 00:57:41 executing program 2: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$nullb(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/nullb0\x00', 0x4000000004002, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000b, 0x13, r1, 0x0) madvise(&(0x7f0000836000/0x400000)=nil, 0x400000, 0x1) r2 = socket(0x10, 0x803, 0x0) r3 = syz_open_dev$amidi(&(0x7f0000000080)='/dev/amidi#\x00', 0x2, 0x56a9be2300645b44) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT(r3, 0x404c534a, &(0x7f0000000100)={0x8001, 0x6, 0x800}) getsockopt$SO_BINDTODEVICE(r2, 0x1, 0x2f, &(0x7f0000000000), 0x10) [ 311.737087] binder: 12030:12031 BC_INCREFS_DONE u0000000000000000 node 156 cookie mismatch 0000000000000001 != 0000000000000000 [ 311.749078] binder: 12030:12031 got transaction to context manager from process owning it [ 311.757611] binder: 12030:12031 transaction failed 29201/-22, size 0-0 line 2887 00:57:41 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:41 executing program 1: sendmsg$IPVS_CMD_ZERO(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000180)=ANY=[@ANYBLOB="0ab50faba44a64e43d96965fef350ac08dad03d2c70502f91d994e7f9fadbe625ea8b3f29a16c43d118b16751d99e7030000000000000055cb0f30630bcb6b0129a9b909886b06876c1fcbd2387f000800000000e7ad0104dd7f8b2f94cf6738d9fdffffff0000", @ANYRES16=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], 0x270}}, 0x0) r0 = syz_open_dev$dri(&(0x7f0000000080)='/dev/dri/card#\x00', 0x4, 0x7) r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x40, 0x0) setsockopt$bt_rfcomm_RFCOMM_LM(r1, 0x12, 0x3, &(0x7f0000000040)=0x30, 0x4) ioctl(r0, 0xffffffffffffffc6, &(0x7f00000000c0)) [ 311.910413] binder: undelivered TRANSACTION_ERROR: 29201 00:57:42 executing program 2: r0 = creat(&(0x7f0000001240)='./file0\x00', 0x92) r1 = socket$inet6(0xa, 0x80003, 0xff) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c) setsockopt$inet6_int(r1, 0x29, 0x16, &(0x7f0000000040), 0x4) r2 = socket$inet6(0xa, 0x80003, 0x621) setsockopt$inet6_int(r2, 0x29, 0x16, &(0x7f0000fcb000), 0x4) r3 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000001080)='/proc/self/net/pfkey\x00', 0x2000, 0x0) prctl$PR_SET_DUMPABLE(0x4, 0x1) ioctl$RNDCLEARPOOL(r3, 0x5206, &(0x7f00000010c0)=0xff) close(r3) sendmsg$nl_route(r3, &(0x7f0000001440)={&(0x7f0000001380), 0xc, &(0x7f0000001400)={&(0x7f00000013c0)=ANY=[@ANYBLOB="1c0000277e050068f897a6038b4800e2"], 0x1c}, 0x1, 0x0, 0x0, 0x8000}, 0x20000000) r4 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0xc0402, 0x0) ioctl$SNDRV_TIMER_IOCTL_STATUS(r4, 0x80605414, &(0x7f0000000080)=""/4096) setsockopt$inet_group_source_req(r3, 0x0, 0x0, &(0x7f0000001100)={0x79ad, {{0x2, 0x4e24, @local}}, {{0x2, 0x4e24, @empty}}}, 0x108) ioctl$EVIOCGUNIQ(r4, 0x80404508, &(0x7f0000001280)=""/231) [ 312.099217] binder: 12043:12047 BC_INCREFS_DONE u0000000000000000 node 159 cookie mismatch 0000000000000001 != 0000000000000000 [ 312.112117] binder: 12043:12047 got transaction to context manager from process owning it [ 312.120483] binder: 12043:12047 transaction failed 29201/-22, size 0-0 line 2887 00:57:42 executing program 1: bind$alg(0xffffffffffffffff, &(0x7f0000000080)={0x26, 'skcipher\x00', 0x0, 0x0, 'chacha20\x00'}, 0x58) setsockopt$ALG_SET_KEY(0xffffffffffffffff, 0x117, 0x1, &(0x7f0000ff8000)="0a0775b005e381e5b3b60ced5c54dbb7295df0df8217ad4000000000000000e6", 0x20) r0 = accept$alg(0xffffffffffffffff, 0x0, 0x0) sendmmsg(r0, &(0x7f0000001fc0)=[{{&(0x7f0000000180)=@ll={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, 0x80, &(0x7f0000001440)=[{&(0x7f0000002000)="609512c620c9661fb54c25dde20709485942b0af9d6467d2078f95d5bc714e6acc4bc3384648847698a2b62c93e1dfffbae1c2fd8ab54856f877eadb27a935201357764ea659be7682b523285e420fd5bf5b3e592127036005e64971e85c64d6992cf03d7225871b12c1dc3c2987a584ab900bb979e07ca39fbb7d16761b54a3f9dc276bebeebd704388912ecbcd5b9f996e26bd8b6a5aa0b74034df27d11def9283c03a1ed7e530d6ac6bb0bd4f494a94ec4cb22bc7ca41f0fae61ada1d", 0xbe}], 0x1}}], 0x1, 0x0) recvmsg(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000001200)=""/189, 0xbd}, {&(0x7f00000012c0)=""/251, 0xfb}], 0x2, &(0x7f00000013c0)=""/111, 0x6f}, 0x0) 00:57:42 executing program 2: r0 = creat(&(0x7f0000001240)='./file0\x00', 0x92) r1 = socket$inet6(0xa, 0x80003, 0xff) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c) setsockopt$inet6_int(r1, 0x29, 0x16, &(0x7f0000000040), 0x4) r2 = socket$inet6(0xa, 0x80003, 0x621) setsockopt$inet6_int(r2, 0x29, 0x16, &(0x7f0000fcb000), 0x4) r3 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000001080)='/proc/self/net/pfkey\x00', 0x2000, 0x0) prctl$PR_SET_DUMPABLE(0x4, 0x1) ioctl$RNDCLEARPOOL(r3, 0x5206, &(0x7f00000010c0)=0xff) close(r3) sendmsg$nl_route(r3, &(0x7f0000001440)={&(0x7f0000001380), 0xc, &(0x7f0000001400)={&(0x7f00000013c0)=ANY=[@ANYBLOB="1c0000277e050068f897a6038b4800e2"], 0x1c}, 0x1, 0x0, 0x0, 0x8000}, 0x20000000) r4 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0xc0402, 0x0) ioctl$SNDRV_TIMER_IOCTL_STATUS(r4, 0x80605414, &(0x7f0000000080)=""/4096) setsockopt$inet_group_source_req(r3, 0x0, 0x0, &(0x7f0000001100)={0x79ad, {{0x2, 0x4e24, @local}}, {{0x2, 0x4e24, @empty}}}, 0x108) ioctl$EVIOCGUNIQ(r4, 0x80404508, &(0x7f0000001280)=""/231) 00:57:42 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:42 executing program 1: mkdir(&(0x7f0000fd5ff8)='./file0\x00', 0x0) linkat(0xffffffffffffffff, &(0x7f0000000140)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000240)='./file0\x00', 0x0) mount(&(0x7f000000a000), &(0x7f00000001c0)='./file0\x00', &(0x7f0000000300)='ramfs\x00', 0x0, &(0x7f0000000380)) mount(&(0x7f0000d04000), &(0x7f0000000980)='./file0\x00', &(0x7f00000003c0)='\x00\x00\x00\x00\x00', 0x100000, &(0x7f00000009c0)) mount(&(0x7f0000000240), &(0x7f0000000000)='.', &(0x7f0000000480)='\xb3\xb8\x15W\x13\xfb\x18\xde\xa12T\x03\xcfIE\x8e\xa0U\xd7Y\x19\x82\x90=I\x1d\x14\xc2\xe9\xcb\xc3\x9e\x8b\xf7\x05\xc2\x1dL\xc6\xc5p\xba\x1b\x1b\x03\xc6\xdb@\x04\f\x16:m\xee\x93)\xd6i\xc3\xa8:\x02\xef!\x19\x95}mM\x06\xf7\x9c])\xc3\xf9z\xcb\xbb\xd1\xa0\x03H\x98\x93\x97\x12\xccc\x02\x0f1\x10\x7f1\xc3\xa7\xeak\x05Z=\x9c\xd0XE\x1e\xef\xeen\xbd\xb05x1yga\xe1o\x81\x0e$R\xbe}\v\xbb\x99\xee\x89\a9\x87?-\xe4\x81\x87B\x83B\xa5\xe9_b^{I&]\xcb\x01\xcd\xb7\x18\xbd) \x86>\xd6\xafH\xbf\x04J\xd8s\x94bZ$B=_\xef\xeb\xc9=:J\x96\xd5\x82\xc66\xa0\xbc>\xc3\xfa\x80\x85M\xebA\xda\xa2!\xd1.\xd5\xbd\xc1\xae\xaa\xbe\xd9\xdc\xbb\x85\vG\xa9\x8a\xb2VI8z\xb1\x1d{ Z\a\xb9\b+sl\x17\xf9}', 0x1004, 0x0) mount(&(0x7f0000000040)=@nullb='/dev/nullb0\x00', &(0x7f0000000080)='./file0\x00', &(0x7f0000000180)='befs\x00', 0x80000, &(0x7f0000000200)='hugetlbfs\x00') mount(&(0x7f0000000380)=@filename='./file0\x00', &(0x7f0000000400)='./file0\x00', &(0x7f0000000440)='hugetlbfs\x00', 0x8000, &(0x7f0000000280)='hugetlbfs\x00') [ 312.374880] binder: undelivered TRANSACTION_ERROR: 29201 [ 312.467418] binder: 12060:12062 got transaction with invalid offset (0, min 0 max 0) or object. [ 312.476702] binder: 12060:12062 transaction failed 29201/-22, size 0-8 line 3097 00:57:42 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f023c123f3188a070") r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000280)='oom_score\x00') ioctl$EVIOCGABS0(r2, 0x80184540, &(0x7f00000002c0)=""/234) r3 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer\x00', 0x0, 0x0) setsockopt$inet6_MRT6_ADD_MFC_PROXY(r3, 0x29, 0xd2, &(0x7f0000000140)={{0xa, 0x4e23, 0x675b, @local}, {0xa, 0x4e22, 0x3, @dev={0xfe, 0x80, [], 0x15}, 0x8}, 0x101, [0x0, 0x6a2a, 0x6, 0xa63f, 0x0, 0x9, 0x6, 0x9]}, 0x5c) ioctl$VIDIOC_G_EXT_CTRLS(r0, 0xc0205647, &(0x7f0000000200)={0x990000, 0x101, 0x48898b77, [], &(0x7f00000001c0)={0x990bfd, 0x8, [], @ptr=0x2}}) ioctl$EXT4_IOC_GROUP_ADD(r1, 0x40286608, &(0x7f0000000240)={0x3, 0x100000000, 0x5, 0x4, 0x8001, 0x3}) ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000000)=0x11) ioctl$TCSETSW(r1, 0x5423, &(0x7f0000000040)) [ 312.519433] binder: 12060:12062 BC_INCREFS_DONE u0000000000000000 node 162 cookie mismatch 0000000000000001 != 0000000000000000 [ 312.531275] binder: 12060:12062 got transaction to context manager from process owning it [ 312.539858] binder: 12060:12062 transaction failed 29201/-22, size 0-0 line 2887 [ 312.552323] binder: undelivered TRANSACTION_ERROR: 29201 00:57:42 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 312.641577] binder: undelivered TRANSACTION_ERROR: 29201 00:57:42 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f023c123f3188a070") r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000280)='oom_score\x00') ioctl$EVIOCGABS0(r2, 0x80184540, &(0x7f00000002c0)=""/234) r3 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer\x00', 0x0, 0x0) setsockopt$inet6_MRT6_ADD_MFC_PROXY(r3, 0x29, 0xd2, &(0x7f0000000140)={{0xa, 0x4e23, 0x675b, @local}, {0xa, 0x4e22, 0x3, @dev={0xfe, 0x80, [], 0x15}, 0x8}, 0x101, [0x0, 0x6a2a, 0x6, 0xa63f, 0x0, 0x9, 0x6, 0x9]}, 0x5c) ioctl$VIDIOC_G_EXT_CTRLS(r0, 0xc0205647, &(0x7f0000000200)={0x990000, 0x101, 0x48898b77, [], &(0x7f00000001c0)={0x990bfd, 0x8, [], @ptr=0x2}}) ioctl$EXT4_IOC_GROUP_ADD(r1, 0x40286608, &(0x7f0000000240)={0x3, 0x100000000, 0x5, 0x4, 0x8001, 0x3}) ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000000)=0x11) ioctl$TCSETSW(r1, 0x5423, &(0x7f0000000040)) 00:57:42 executing program 1: keyctl$dh_compute(0x17, &(0x7f0000000100), &(0x7f0000000080)=""/107, 0x6b, &(0x7f0000000000)={&(0x7f0000000180)={'sha3-384-\x04eneric\x00'}, &(0x7f0000000140)}) [ 312.811388] binder: 12072:12073 got transaction with invalid offset (0, min 0 max 0) or object. [ 312.820952] binder: 12072:12073 transaction failed 29201/-22, size 0-8 line 3097 [ 312.843862] binder: 12072:12073 BC_INCREFS_DONE u0000000000000000 node 166 cookie mismatch 0000000000000001 != 0000000000000000 [ 312.855810] binder: 12072:12073 got transaction to context manager from process owning it [ 312.864323] binder: 12072:12073 transaction failed 29201/-22, size 0-0 line 2887 [ 312.945759] binder: undelivered TRANSACTION_ERROR: 29201 00:57:43 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000080)='cpuacct.usage_user\x00', 0x0, 0x0) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r1, 0x4010640d, &(0x7f0000000140)={0x1, 0x6}) ioctl$KVM_GET_SUPPORTED_CPUID(r0, 0xc008ae05, &(0x7f0000000180)=""/47) r2 = dup(r0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f00000000c0)={0x1000000079, 0x0, [0x481]}) getsockopt$bt_BT_CHANNEL_POLICY(r2, 0x112, 0xa, &(0x7f00000001c0)=0x7f, &(0x7f0000000040)=0x4) 00:57:43 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 313.071442] could not allocate digest TFM handle sha3-384-eneric [ 313.081093] binder: undelivered TRANSACTION_ERROR: 29201 [ 313.131063] could not allocate digest TFM handle sha3-384-eneric 00:57:43 executing program 1: r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000940)='/dev/uhid\x00', 0x802, 0x0) r1 = open(&(0x7f00000001c0)='./bus\x00', 0x141042, 0x0) write$UHID_CREATE2(r1, &(0x7f00000002c0)=ANY=[@ANYBLOB="0b00000073797a310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073797a3100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073797a3100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000003f7610a8abb6e6cff4c21ed3dfa728e55893be99c5b43d894bbcd9081b48f5fd990797b70ed53ccd7eb5ef330dc7f6ff0a498358ad2becc0f5c91e163c608f4950acaeac46857efa9cf31227b4284ca1769c7cbdc7e2418349cc801efb247b0432688ff14ebeebd24963f0d9650fdbfdd94b3ec2b7fd92361538496ff30e40bf0a445be4f62729b000eaa44d02b6a17340392ad27a3923a6fd83a4e353cb0ab9489d396978ac1ac79733a754d78fcbfa760075cf2b1e906d39ec229f4acd5e23aeab4575c71135be6802d3e1ed64a38015b0358a99c9798fa9f534a1d6c8d3836992830a59ef93c8bd"], 0x119) writev(r1, &(0x7f0000000000)=[{&(0x7f0000000980)="4acc582d79a664b845dfb8ee626a97eafc2a28e15d983cb110e823411f632d7041ff470738a9b7a5ea70f60278245a3464dd847146c05aad7d4ec68f4956390fe89703784898e641efc2a86854554b757ca0efe403f110e46481994ab09dbfadaa4cbe0079bc83eef7e47f40fd0f4f5af7d304968c963a19e20803b92b9cff7ded7f9cbc463e43c9a26b3d59e40ca26693f3310de13ac814276b90b9c7a4cb7613bdfafedcabc1a9595d4fe0928fdee85621275bc35fd9d2c2a4e6e63e63d4ead6ec198c7a68a59d76e528f8371024090186e540956371c7a429797c324068134d2230c98d93173ae680ab3b6416e2dc511c58c850d42cf2e115b44c9ba4b131067fe28e5ea9957ce4e58be93dc5038f264cbe37a739c6db8b5dd5812e31e95f95f210d10a56741fc91c6e6552d02e070d09e220cd89e67253a3a76470d0f6e0d43217b824f386b8a6d13198f55afcc51c8b23e4ac891f99ae7fdb341c08938f87346f86cd6b66ef82638b1e1ff361562b430d744359dd5dd6d5ee30c8b2d1357cd67f126b9eaf369877c0006c4c5e81a5c914f0cf028b1343d4b325b49c35e6c87f8ea7c9b8a1aad96ef2a7da871410824c8210637d75eca7156d4e955d19d3e45631414afcd62668b940e433ffa02b0269d42ebc3ddb803545a797be5471e0192b43c0b99899fa5d070f1c995721a00ecfc4507e0b8d518db888337eec3438a68dc4c44426f08d79115d5c63176bd8949569653913450f9e4d3b00ce4cf4a9d5bf8bfb94487225ae8369ef84001bcc38b7c455753f5790ec6aa5f8d3837a11b2c98e57e1b2cfd6cdeeb17de093bc41d8671c1af67525f1445effb54ef997469174b99c8b10416579666d3e9eb4f390baaf15cc1f0a1c77d7a5a5aa824c63a256724b451dfbffc7ceccd8665423e635130147c5d3c64b2c855f060a56a55b4619a8415d88b5447ad6ec3d077bff12b186b8639198d99d052b73b8a2449934be5c404cfbcce76b6cd127556a5de5b810a6e9edbdd78415b92f6c726b81337c8eab9e261a6cff077eec729f8ba460bb05d44b3825fa81adc066eec0d7c165ce345e09cea1fc40b5e7aedd991ac25dd58a59cee888231ef9b3325ff89bc0370142c4ae22e3cddeb0bcf5c7457311f255f62fbbff205e0510164f27ff9c30ec1369ef698152e88d7a3d1098a6090fb560cb2e0b92df2b0ea5b0ec813b4d2291c4c3c1baf57bc38cf20ad7cf473d7b5188be9350ac61d651eccdc34fe89b7088138982ca802022932ae594460af77bb05471ac389318cf046d536a753048364b03bb682aba6cb9597ff2fdb7f7fc64526a77d23c8deee6a84ff2f9b2215a100f8f99e5f53e31fcffc81f69b791d896a5f0600269b48f55aa454242bf581e1d2e1b35e725fb595c86bbae30ef6cdeb7dfb42257bf8ef51cf7134b53a0985328da46838562f202dd9b2c862e59959a5fd5755080e019321e712c5dfc1b2b2f78db30bae08a0f3384fa44616c72442b9a606303ab98dcde21a95fe5029d5f04c783d26f21737bb9b9f8006e1e5f4498f3518d2238b3baff5e76de08f699cc25f643ed0759f2cfd7061c9c1fc249de9f648e6959592a202f8e099b915713d015896ffa5d7d1e4c40a948779a502d3e6c9c8c544c404720f6607a241650393fde7bf5c2063a3a9075cb9fdb3a421cf310dcf38ddc228444b0e2de4bc350fd6c45f6fc99fcec8bd919fe280ec85867f0bf0f049f4a49fbc25e3c1977a0c40e621424fa4846d24dafd28a5471130e1a25ad4103642e362febce1fa7b3410d36fac3841326ce61981d17ab6072e93890a813533a2ef56eb8f38adb7aa157f9e7fcda349493d291cddce6198adefe845186891431ecd7a3cd48e6b89ab373cedfddc55e17ee0ea2d2b349de29274b58a12803648288a7ba5a98763a66b8675ddf3605fdc286ec2b0754b73f135d8ce590b48e82cbce47d5427bf3f5ffd0ce7fbbe49ed766d02e077b0eed0e3fc691589d86e208df6529187d3faa46ba5fc6c24fc96f58aff544b6c2990983dab835aff7434f94dbc1f012cd19bb847050c7bb7d6916a2a0b64e971700083cd5e82392983ae8977fba2c4d98ecaf6aebf6d11840036148238d2214c91be4f167ff0be7cf06ddc5786bf57e66667ed6f7a8dc883f635cf845becc59f09ba4289e99b1f805335f15ef8bf90b588704bffa536c9b59ebb822e3d471c37b1bf089a49a0a0f8bbf928024f4953c455c31905fcc20bddd70a4b83066d3fd9e27a56d7348e3633abe95a5133945ce31c7d041f1747aebf0f551deab060e09ad5c761266ede6c0f27a96da731206cc443973296c715aa811bf2c6ab385afd2e575ffed39613c40c3e67ffe3a6a7cc7e35a2f966d24c82eb7a24e65da4e879c9436f8a247287d2506e8bdc0e6d12ef771c1f87f61e2afce7b1c3a9382e21ae3e2a420d820901210991dcea40cf91078b7468e12d866403663adc35891dd374b99d996f7e28546ff56ad9fed9d6fce6934bf7b5f167d4f4526ae81d3877fa52f0edb311db232eaf97c503f4f8622e1519ea17e827362eaae654b295bafec7784e471852d04c3abd38c19fabcc12d1d6c85d9580a00445e1871a0e48cc86ac6e3eb18e7860272db3be38ab2a71c5e9d02e86d464c20b4561a5dfd42a8cce104deeb487330b3dbad0b9304488b697843f7fd3737f0b3bee7cdbccdae2a6e45a4d3a92b53fe076af5ab2e9ad45d578a297d1bcb2d9aa1ad2f1c1e894597ed490c4e7a2d3859beb97d6a57bb06d1ee8109e2350a705f5baf855c5c0be57f47d2fc354c28010bddedc83f820a9f0661c9b85c5fd5991fa8ee0fcdf537f434743a008b87a555cdd86abfdebd45b5a2bebbf6b48a44205057a84796c8c6054fe3e12690033d4356174b2d478975425d9478917349ca60a26d79ed686292f2e006d4baf951a7de536b96f582e94de2a815dc39107194db71239fdbecd7ee611d4ae441e6886acabf090c2c2e1f4f655df7bde92d4969efdf2edefa1b9e3f83f766e9b88d9e8c95e5e6d2ac5c4dbd133234c5ec5c65f0086e84207706f74c262b5fdb3cbe13eec1db8bbdce738d4f4dd21e0381e930dbbbb2cb2728d21cd25304c42b87c7a4c039a1e2841069dab32e58d133173d164a6f2acd38a56e5fa899b2d8fc8bb63eab1cd74d416f78d6f3e658924d9f416fbf526e7c3795d9ffaf75528c109b9dd25ec3d380e52fd2b475362f9ff001e4e5b73bc2f2a19876800caa90f145588aeb83e76878d4ce4d7e8687ec2012d89752fbbda438c61aa863c308c540ae5c741769a38032808a87853136fed9164d7240dfb9b7baabcd5830aca574854d27d2ea078cbdf66a9e329977dcfe8d184e76a603c9e13c595152dca122ecdc9dedf8097b86a11119d8776bdd8f091a473a562f1d0f0847d08012a77618c21eac49d1ceeb1dd6312ff40420f109e8597c47c1976bf8c220ead6401371db163de5e76c021862be25a7620b399f6e671d5cfb39d5110386897b23057b443972a834032b1bf488ee769ccf96340f2c46841d549e3621486dc3be59d972e3c474d40dccddb58db66900f86480af024d5cf90c2378ab3f7c121e10f97c700cf03286dd9912fa278d955be34217fe302b596405cebe1d4825c053079b9201069db203c96a8ff80bbb49b0894c6f424d7fbf7965aa39daa2d41795ad922179898a9de64f642f7b02b1170a57e3663d0067f99fc6c0e0b4a851b4ea5ae12c6aa0dbc81ffeb6656e1037c2691df41bff813a095ebd95ded4418cfd0e717a9f3c52695f8a1f2e9e57bcbb65aa5c40760d1ccbf2810f53cc9a63cf2b622a01cf4d18f58f78ced2d4261230d6f1f7909d20c2014be0c5e1591cefccfccad0f32c0395ec2b7a4f90c0263277f38ff7ff437c813b8699d493de67d90776b052278d64a79c7b94573b581f205223297689810145ff97c7d9d1f7647d3177a2a1dbe99119dc008b51de568fe955c78148de3221de6c98cc39b6969eb16638b23330838676061e3fbc971c5d5fb7e412c284d228da054c2855567a2a96dd1a0d8309319e1402f5f5a9049b3bbf888c53589f34baf00996487741aa8706ed35fe72d0b7358b7fed808ce7d2b94cfa4d718e93a84712049ed1e53e65c2e227a166e95074a587066c3f5d97ab2b47816cb7c52b266c94831605fea47bc62aa7c2f16852aa1440b642cf809d6c1a110ad3f443675a219ff596b265ab70c21e1bab5d9209a975972ddedae9e02994721eea0bd318c3ac153d63443d6e3c0af700631066292f3781a12d8f812d10262871726e73731163a5ba0e56aa94213f8c226a86e79b30e40da3cd12373c3325d4b21c83fcf815890080fa5c868bb4689270de43a54d59775b5114cccf64d18a26a0dc", 0xc25}], 0x1) write$P9_RLOCK(r1, &(0x7f0000000280)={0x8}, 0x8) write$P9_RREADLINK(r1, &(0x7f0000000240)=ANY=[], 0x2be) sendfile(r0, r1, &(0x7f0000d83ff8), 0x8000fffffffe) [ 313.274898] binder: 12091:12092 got transaction with invalid offset (0, min 0 max 0) or object. [ 313.284019] binder: 12091:12092 transaction failed 29201/-22, size 0-8 line 3097 [ 313.305555] binder: 12091:12092 BC_INCREFS_DONE u0000000000000000 node 170 cookie mismatch 0000000000000001 != 0000000000000000 00:57:43 executing program 2: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000300)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x2e, 0xffffffd5}}, &(0x7f00000000c0)='GPL\x00', 0x7d, 0xc3, &(0x7f0000000340)=""/195}, 0x48) pipe2(&(0x7f0000000180)={0xffffffffffffffff}, 0x800) ioctl$CAPI_REGISTER(r0, 0x400c4301, &(0x7f00000001c0)={0x7, 0x6}) ioctl$SCSI_IOCTL_START_UNIT(0xffffffffffffffff, 0x5) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000040)=0x0) ptrace$setopts(0x4206, r1, 0xfdc, 0x100014) openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x480000, 0x0) [ 313.317368] binder: 12091:12092 got transaction to context manager from process owning it [ 313.402766] UHID_CREATE from different security context by process 95 (syz-executor.1), this is not allowed. [ 313.423140] hid-generic 0000:0000:0000.0001: item fetching failed at offset 1122013369 [ 313.431596] hid-generic: probe of 0000:0000:0000.0001 failed with error -22 [ 313.472863] binder: undelivered TRANSACTION_ERROR: 29201 00:57:43 executing program 2: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000300)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x2e, 0xffffffd5}}, &(0x7f00000000c0)='GPL\x00', 0x7d, 0xc3, &(0x7f0000000340)=""/195}, 0x48) pipe2(&(0x7f0000000180)={0xffffffffffffffff}, 0x800) ioctl$CAPI_REGISTER(r0, 0x400c4301, &(0x7f00000001c0)={0x7, 0x6}) ioctl$SCSI_IOCTL_START_UNIT(0xffffffffffffffff, 0x5) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000040)=0x0) ptrace$setopts(0x4206, r1, 0xfdc, 0x100014) openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x480000, 0x0) 00:57:43 executing program 1: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x20001000008912, &(0x7f0000000040)="0af51f023c123f3188a070") setsockopt$inet_udp_encap(r0, 0x11, 0x64, &(0x7f0000000140)=0x5, 0x4) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x400, 0x0) ioctl$UI_SET_KEYBIT(r1, 0x40045565, 0x23d) ioctl$SNDRV_SEQ_IOCTL_DELETE_QUEUE(r1, 0x408c5333, &(0x7f0000000080)={0x0, 0x60c15ebe, 0x1f, 'queue0\x00'}) r2 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000200)='./cgroup.cpu\x00', 0x200002, 0x0) r3 = openat$cgroup_int(r2, &(0x7f00000002c0)='hugetlb.2MB.max_usage_in_bytes\x00', 0x2, 0x0) sendfile(r3, r3, 0x0, 0xf9f4) 00:57:43 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:43 executing program 2: pipe(&(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) write(r0, &(0x7f00000001c0), 0x526987c9) ioctl$sock_inet6_udp_SIOCINQ(r0, 0x541b, &(0x7f0000000000)) [ 313.708820] binder: 12108:12110 got transaction with invalid offset (0, min 0 max 0) or object. [ 313.735200] binder: 12108:12110 BC_INCREFS_DONE u0000000000000000 node 174 cookie mismatch 0000000000000001 != 0000000000000000 [ 313.747200] binder: 12108:12110 got transaction to context manager from process owning it 00:57:43 executing program 1: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = fcntl$dupfd(r0, 0x0, r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) write$FUSE_NOTIFY_STORE(r1, &(0x7f0000000100)=ANY=[@ANYBLOB="280000000400000000000000ff000000000000000000000002000000000000000000000000000000"], 0x28) r2 = socket$inet_udp(0x2, 0x2, 0x0) connect$inet(r2, &(0x7f0000000000)={0x2, 0x0, @remote}, 0x10) r3 = socket(0xa, 0x1, 0x0) setsockopt$inet_MCAST_JOIN_GROUP(r3, 0x0, 0x2a, &(0x7f0000000040)={0x2, {{0x2, 0x0, @multicast2}}}, 0x88) setsockopt$inet_int(r2, 0x0, 0x7, &(0x7f0000000140)=0x8, 0x3) 00:57:43 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 314.015269] binder: 12123:12124 got transaction with invalid offset (0, min 0 max 0) or object. 00:57:44 executing program 1: setrlimit(0x400000000000007, &(0x7f0000000000)={0x4, 0x4}) openat$apparmor_task_current(0xffffffffffffff9c, &(0x7f0000002340)='/proc/self/attr/current\x00', 0x2, 0x0) r0 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20\x00', 0x10000, 0x0) ioctl$KVM_SET_NESTED_STATE(r0, 0x4080aebf, &(0x7f00000000c0)={0x3, 0x0, 0x2080, {0x1000, 0x6000, 0x1}, [], "720ed8eaf57e5fc6b2b241a473f3f330b184efdf0c2786bc6f648fc8cd1b9a844bcb41d8b67c85a76ba47bd299e1f035b8c20c56cfe914d1e175c7bf06ac3579ff4334cddb99bd47cddd3c86b29f19d80dd5fad445ca0d7ebbb221ad2092c42a6c8647068ef6c1f21c26319a621b6547882023916d6af481310bbb0512e834db54f0f2dc14ab2a07b6a5c968f4897ebaa7c871435eef453fb86cdb62e285feb626b8eea0e1eeed58b9bb665e155851e084d754d39b75fe93308f02dd1ea5e35dccc105c19f1a09e11cb72676534b9b0ad459e4d3e73e05eee2fe8642f58fcc4934f01fa0e23c3e5560222309fb8ebe89f7c4bf9903b0e53138c5a0263fda442337a0488b835a6835a1e7dfca0b992eba119124144b85c7b073605f872af2ee9023c4aca30758c8fc58ec2257ab0f9ee351cbea3cfd3181b810fb96ca9184b33999a99c7166abe6ed1d20387ebc99e24bb149b327db1b58c78b28c133aedc4f19c3b123fd8ae63e4eb7e5859be64339c2ae10699ad198af098f558fa9477de3fc7a3074fa2038656b81a6dae624a3556dc7778f3ca972cfd9b2fc1b90792947e6bd7aa95fa7026f5af0edf6742b5c14a7ac5b5ac569b57157ea3dc6bf4da9210eefc434d08b933d2ea5566288c39fe9bf1b509525248ccdbbac0f5af40d61d891bf171f1f6f763675ea83f0e7f950b62d6c33eaaa34b19b3a27038c611914b0b8ed43fd3cd0bc94d02ee239ab78334aa13c437dfaf332a1587d7604ec931d51fcc18f734e7d09f1b58e0a9f08857f64bfdce400c0fb04262c869c33738be94a899bcf86a5259562afa1286533413706644d176501da91024a743a01e5ec82e154598934a9a53be20b79cccd3527a10c019eb2902f2410a3adb347ae53b681c7848eefe91f1756401aae0a28288a37b29cbf878644e3350a47e14966e1925a1c55b1fc446bd666ba9cb6ef83ce30920255bcb84eee29b5802b0d119a1607f087812ef361e9bb2ba78e7d1cd729dbb2f0aa2f1256a23b80156e39615b7471f77a3eb00e2ca9d04f93846175784e7e8c1c7f5a315a7d0fb4b5efe2c5e5d36cf807dde55bd4cc98210a55f58d61a2ba6af4348f411699b1cf50c46030bf57505c90176341041c14fc14bd10a3ed57372e272556a6635a8d82f8d3b4154d959852c898affb85e3fd3a5a874faaa62e014a72414e5a698a560ac79a74414ea40d855a3e0595a2e85c42c7a33154040d7f1a3cf2e57e9e7f2e6deb556cd954f72815322fc54a559888ed0dfb99d59e596255641850782ce750990f511644d5baad3e704b455cf9ecefca22276719c7237a74a5cd9e652420872f2e45c5782331aa80acc607dfb5d9d56704381192ac815a40b23692978e32826b3536e30dc61ea6beaf6adaa40d76dba0eb961514477f17c76542b53f4bd61c9f2846817d06f178c572d9f90490027f7f0fa6dcd93a1130819fb33840213d810a78f592bb4daf4bdc79e4f9c411a22ceefdf61ac2b982f63a1bac67f86729a9e2b7c0cd6b97fbb910c0e73c75c6d2d1c4f8e257a5fc46e54f7f35cc9aa6b9959974818adc0cbf42b10260844c973947eadbf57daeedc7d7582696818290951bfd9b441a3541982ad017fe8259cd1b881f2379600ce2da768cd50e13c60b519dae1a9498cc482a43acdfffe8d61d527cb249b0797b7716f1b4a3bd62aa5ed37ef214976168ffb3a55bc9ff57d20eca5b693aa81292ae4ad3b7824a78980fdae97915b77fc0e5630321c541267cb7a589c386e3410c355055585b6ef161e8f1abe5e7cde07cf5dada341c173efaaa213dd63cdf36044b37847b1b2f9148f3bab8ffaa1cb777ef4102b703cda69a29dc692998f5116ae428613c86a8f64f664c22415d375776372a7a7078ccba93a238783d67183645ba1587d58f1a1997f3d68787b3daa73d79693eec2c6591a1663fdb9fee690eec7ec72937e692a19be5480897af3b263c063e23686f89d8869fa4912fbbace8088d78c651f66ea5e5b35a9e80f3d88eada17a2c3f25840a99a9088cf735693e3efb4974b6ee2d5a5261745c444dbef1c71f859b4cf2a8530593ba16469646ec66757ecee24daf7df5523c3847bfa681678ad66005e64794ce3097c7f674ae8c1e1a47b8673a15b95363083f98149c2716c7e38fc6a4a0cbeb4ed8bcce0d4fe7a79f704f7f02bb7c621a31506b1c01575935f6b83041220f4721c821bc38bcae64f84982b5ed956535cdac489e5f7c02d7888be611a6614d04c641ed0dd8734c9ff64ef1e0b22d0b0569bed8a184e8953d3732dbfaaf891ea99a7355962d8fb3e24fa9ebdea065a6b2dee849539480255b9ccaa4a31bdf56b33d1137068dcafde0bffc783f14d7823fb0488749f088177f034689863932e46cb7851f96624b7d8bf486caac74f11fb1523ea20078c0454bfd3efb77167379f18ca85e383acb6cdf8ff7ddc2e3742ae39aaeb8b18ab07c2dfea04ee5e0cf084a11db5c5bc01fb3634100623514fa0da020ce46e18b0d7bd5495df4986723ebd7a5e0bb88498d179f2db8973284074b29becccad1656fb8e65b44cb187f598e8a2d769b8a132e9405a408ad3a7bb9ba1e210b413674b77c93c8fc6b47f614121ddb566fce81a1883828dee4417f98c236f67127d5dbb8ef4279d0830ef7f128b627a6941480baece175bcadf72a40d21264527300b2e507a3245160efac4700cf8f4811e249a6ea0a83fd062a4c122fbc005f53943ee541340b3a6df00bcf6a24782986ee6226ced1958b1c19a152cad7423e0cd3710a88f6f53273f712069286f12dde906a87adc4132775e109b80e5f3a953f0e736108721db25f4c4cbbfaca882bdd735d72b90aa5c5f2445386b5bca5af5b50344fcc54de6e4087ba1f93b7a8acc57c4bc94b771ebd13e2c5c2754c4b022409463b553624c9048adad80cdee3d512611751d62e64292619c8fc4fe0c765bd5a3195961edb040e94820f88ebb6e902b6e501d696db8064a65caf6775261aef836aa9b74f1cb7a588e24b83110eb2403424c2608fb2c95085c9735442e87712b116d71422d82dedef193988f4da850fabbd604900eda6064e85127ccd7cd7e6715e4c7d73956a0ead8c9916f5fded6d2b078b843783fd1a201e17d5d4e250ca0ad7f76405047186cba3c0fc644a97d5396325ecd7a0e111135cb8b9716e3b81721090e3498fb7ca90c15f6b4c70719ccdd97041c86f95f17424cefaab131075cdfc75f2bc512f4c2b7737f26c41c546be9bb1dbc0dba81bb579d9d0e6f54aac3e3c911549b51a342a553fb402f5aa3a5ed4b31ae42e018be8fe05bca78d9c879d11947ed5ceb20f07e9d04760bb24c17e7ae4f8d71f3e3a228f90afa8b9fccb8dc361d61ff4cf19cbc948870c56e2a338118148e408b3e929902e7442ded983a6a3dda8bbd37ee2cfde57fd81b9840225e0aaddb82a866868a8d458a9ff1cbc836239f411fc59eefc6297305723eba66813e785a65279ac8e464fcf0d6625c249e4f7cdfe08060b111246cefd7b77654ac4c4d9d9c1b268b00c75d260b7bd98871f6ac8102901d0be5a5d8848b9801dca19fb9a674795e216a2f01b6bacc306dab21aa54c02dd86fd448ef373d499fed7f4ca4788486d48ee7d420f34ab4e98b7c924a8d1f34e9f2dbb0c5fc213d4db17c5ea5628702bfb3ee2649eee9735b8adbfdd2637978d4ed8a3f9cf44d36a0fe510ca9e249ac0f7638e9e8ded101775f5ce4638d7465fc6f441234758547f7916570fd8f5dc08b2de8e3f94d20e7bebea7366b86cae0d3dc4019d0c5818f13a9bf8790b0ce5fa98aacc2e38c5e776df33ba76c8b9bd391aea7831c00e9301d3a28438d0d09260ff4bacc90d5671136f1011ca37a25df7028fd9c960dec0a759e70b448680c7588cd5846689b6748e297b22d9e6b107aea182ea9469ade5c66955e8686ab5b72f4f55d0d62a0420a0f27c17976f30d156436eb0b9e519581aef0d65365229491cfea4141a63d6c39fa3d6cf58d04bface38ebaf79a75acc8087fbdcb6fb48b20562fce6747dcefd9447eca7a933e5e03bbbbd9d4eb10f5f3302921e01a595cd890272a79ea4e35448380c5a0387ef54e7eb6f9b800bceb256d610a7a907148061143fce12093da301beb5a86c588e0f1132071e42418a7c49d9c09d8e4be66e39f53cc9be459af49f8e4c2f774edabff402827a148ef4eaa8f55918b34de7f7f85baa7b28d97a0b5e8f97035b57c5a0ab2cc99333d66338144c809259af3f55472193bd4e0c3eb8434dfdc4b4ff5afea9276a2d82e8423b76b30926009211386f174a57423e69caa24acc8fdd7a660ea62cb2ec012d4ef0c60805639d3dc2aa7ee489bd80c64c3e1b63d30533355a30552e10ebe217df4e28e9689aa83292fe637f456181d95e176508a766a4c7244983c3bd596ebd374f1b5f60e842107a7bc2515eadb9b95dd3650eb5acc34ea773538646019a11787c531f2dd7a18bd05c9cd569b1aab5b71c4b0da0344f7afb62208fd04b2ed51d117f18849fff95c8b90a4f156cbd30d9bf35f6999dc3c5e274bc1298359902180404849f17cd9ce99ab758902007019f0c5f9dc39f518a9447bdec9dcdc3802df98575e6a6db5034cd528aba082806e5de24ffc0e74bc65d4d930c2331caa6242ff2df4577d0c1e4559753f4996548cfb81aaa6e7feeb94f4a525a8f7b1751d16b9e44cf0560ad0dc70ef1d97cfa579f615fd719d09a3f9bbaad0dbe521e5e86f398026f178cb3fcb2bc2ab37774998c6d77a40c42815a3a419fe569dacb2fbf2580baf010d05a7e5499d894938472ddd8429777f75773e1d0bf30021793d31278c27373ecfeed98c471f79a616571d418202aee86a7ed859f958884e258048138a447ea5630982d00c51c7545c9fcd2b2586bc02dd3e5750474c8ed641dcd900cc1c7159a4259926b762fb937da7c57603d10dfa29fbdf0d08626f3112cd6b4f5e26f446da7650bf65cfcbab0d701242fb83b1d53fe695f46005aa9fd4ab2832eb8e49c4e3231349742d0d5e176649ac3be3f0ebcc6aa80d95719ce0828593277ad73c322cdd6b048a6fdd6b755915d2ffa35482a5c254db9f3d7840d535d90b4aedf6a7380d995e3db40cb0c5f5d16ca4095c72317e6b2a5da27573660b6d4032180ca0cd49392aa58ea3dac1834fa626f4d4acd8a376924814cc595c1d263a4e048fa1434191d60b548ee82dedf122edc9679a721581dedf382e37d7944bffd0189c597b83aebe81edbe906bcb61ce7404bad8f1d55e1b0c38276e302014ced12b953023d4d613855d275a61d7ba0f61a7674d9e9eacce6f2bd31544853f9ab806ae7812d701a8da6f0d79ec7e3f3000382a494e7a2c82b852c48e885f512a3473cdb1de8c7236a9616c6672d2371b9255182601415a6f1a9db056fe48e699e485d57dc58af453831e83ad609c7659115711315ad611d6e3443cb9938828be2a4e0dc247b91f3a044aee0ad13383cb4b36ec6b539de2728efff7195b3838d09aa860c97e4fb3b49f9cec0bd7e2f6fefae8f00b9c624dde504e76654feea9f98a63f52aa7b98fe77165bc8c0ed6134c27cfa199454d0d3ca6e739b0de165d3aa314bae055a1d0bda18a6f9571605b236a10ecb46f1f27b8bce88b5b4367cdc9da2305c7de99caa7b895715fb56e0d98f8589b0aa751f1e206958ea087930f4636a8e6372c681af3ede8c1f96c51d6b1ad56ef08f6eb30fb0152ad32fa2491b9847edd8d42c15a28d48fb7112e557a76b0f0869ae025ecb9733837ae434", "813aecc5b9a7811c206312dfec3befa6af28fff69a4980cc5e24fa66acbebc48015adeba7ab8577a6beff3a39a5db2431dc234db8edbd8f3faeeab2b5f9766f49950bcf9e76e766af8c5e1e7f94d474c49b943d24265d59362c7d7e817b1a71d6271b1cd8f776c84e3db9ebbe65b1a99cdef6aafd0c952f24f9a681b1d7d16e2a2e66d996ee9b3af0b3980fa6af8301440f86fc5eb0cc3e6016fdd5a0eeb08d3b76b1b9fd9849dd3760b35cde930de4ceaecfee6b553c02bc74fedd7cdba85b9d77f9ee5c4937fd36857dac8e88b5fd0f9e33584cbe46ea2c0c10a98db841a6da39a06a9c95a9b2e8bff318fe6bf305be4f47cf6290ec5660fbfdf74133245ba24620aa6fc6396216aa829985fd4b44aaaf513d5af868d73da52b75b32e6e66f1196a92d66b4d626bc35c2c14a9fbec0cba6efc65c43e3dda7b4d87998ad00fa80f8df1da3b1466e09c155d94ed0508c461bb0d00f8d602046fe34c57662ec8fa9a0959b82879d067b9c9de1af7d43bd8e76865f2fade5a0c7ae75d73e723ebe7aa913e540c36997a02f477b545a32c950699ba7789512a2ae7dce337ef801da9a4c9054c12755bdb5c22d5b897ddab663b724e1c3b76aa2badc6033b888c8848b3c97797fb3cad786900fda38027c01b3f014f2b5985eed470365bb2ebb36901ba7e98fa2d6be8649ba18209d8dbbbb7b6ee1f89c44e66ab640b4670bc25dd28c40726692d48a4fbe25ba3654ecc1ca44d50d80c61a83ff7a54b1a3c953371fd90d68d9575fc46b00f9e87c789d00bcde022518e07664ec518f65650a663806ada47a1cdbffd02bd819c6bdd140191002eaa7e27b6e4979f184a589977f04d1c633e0697790aa818359de210165099bb8a99730e40253fc2b75034a9f6cc545176c30011787275190bb510f34f0b65c81ae85a2c018b763854b5ba713bb4ecb190d628215ee000b678f64c781c5444b93dd1fd2b996bab8848cab440d319a3c281584b4592f3b4d7d5997478ed2229674f5eb6742d2a51a71efab2d574ee51fe8218a82dc68476926c7fed0b35ecf76898b6cd49c65bcc0f62614260ba6607227960eba7c39175c76eb0e9e97e90e48be8a2728b953ff519eabfc88f0daa6994ae2bad11445eeeb57541d9a2f282431030e9133bec501852c0a91c301920aa356e4acef737ca4f0ec821f4c253ac21cfb2a9aa42aa165dfeab88dd9ef16fa3e720c90a3451290b3221b1c055d4cc9aec6d90990f0040384d33ab41107e8d51a3261d7fde5bb291032ee374dea5e2d91eb06328d44fa64ce056834e9bd35ea365461cb28530787c125da24aa78634795e7cadd7110760e46099c55db296d55eeeb2979a15a579d3655226d5bc151ef28b2af74b3623fd003fbf231d5b9cd919d4088db2c2bac694649b96b00878a18358883c80218ee0af6e6f5fb7cc8b5386ac319df2efcf222728223829ea4e55dc42a4c78d172e7dbd239d61fc626606e9a845504a6db842a86e1ae85358a6cdb5a895ed56f69723335efbd104b5566b840d8ec9e330a7c4c4a40452a2f50bc4e861237dc483359e75b30a0ea2b0e830c4e5c6e902c78b5f02405a5eee2c6b1e13e147f8d57bdc9110b08d3bfe559956ba2bb2eb360efb570047ebbb72caf08a4b31d5779b87449a77b9f975441b32264da3565230d8c15263de8cb250529d745ec20fb4447979c807945ca64bc297c340dc8c8335502baf7929fe8bd564033090d9783595ea4ae53c8ac586d0dc787960695e3b18b3b899060be4d0265c66f29124bc52a9b45e210ee92a4617ebbd5553242eb06def019f971864bbc7c410c01cb47e2ec98c4b6aaa7fe2d678fd03f2285d9af01d101ae34592cd01eae9849f6e38f70bd4779819e9b768ddbdd846f8cc37b13e1b1d8b1dc5afded8dc4aa25dc41cb45c13a99c73c4370556c36d5b12f761d21f259824bb65d473e3f81151dcbcbd983964a7f78068fcf022ddebc6c4a2c21ce51a19cabb46960266def0d7dc66eb14d627126f13b9d0e107eb8bfbaacfb98c946ec35183a93febfe3797b753e6005cf0a4daff2f411f575a4151c2416b7f9b19e8959274fa29561cfc208f22afbe7d159245a063fcacc53f9c53e164d3b6f6f803e19cebe85b7e3a6576cf518810dc770f5869f5895c8f337c09ab0a67d7417ed7da3cca335c9b64ed9e1026b3dfc205d1654ff5f030ddb26e6ea97faedf5c18447f062ec00ca6c8829e0bf68d5354d636311d1b1304b5da6d77b29e6366b6a9de8f3e2c8e855e18d62679da514474416faa0e3a7c24ff869557ae28fa05baa73bd2dbc39bf67f3f3111c32765ac396f264405e1eef34660565e284b75021de2a72cea9ffe83d5537b84b98c6d48bf73eba14d0e0a4267071c355c6bd9f5b4f806cee733c7be3393fcf740e40bf3275127a461c746a34e8eaf2fc88c49ace96fc83039f16fab6e3576ac7fe632a3787085c536b335876544729577495e62a9b3248d9ca0abd858480a8cde3c96a93e827f588c0495e1d0b245a7ad0cf4de731d5fd0aacdd4161eef96097e09dc679b85f841a2346e8ff2d7278561610330530765fd14b91feebcb326719f3a592704e1f29f5432b9958387950b076c6fdb8e6d99eeda132707d4ec36c47a43c32fc9506e2ca04d15a8db65f4937bdd0e8004e23061399552d0e0c75ab627baed78347433874d76437edcf82c4503eb84f09c468f41374b74ac052149dafd86747c0de25a3f46c4576761833bc28d75b42e76ca9176cf02bde91b4351ce9320788e41c8a1a332bb6acd050701481a4855ee025ce95c5fd79bca9736aff10c8539e1e64e07bfc092fe6fce4c214d7112a84f98828a50708d5937ee44455a61ee347338c0d583a146819ce043c40627ade6233d9d55c0dc253471d01859fd0b930d51df17e84f0ffbed3b605041585ad9896781842b9ac6ac6db4acfef7b6a8011f8055e54d06610165e52e491707d672f1401f08d38f7b4c9e27cff90e545c8f8d4c529db603e4637fa63b40e5d1ded22b14ae913a9af6e399a11dc90414ca2facc095e647806739c620935f360425d68a399088f339b61d72ea375f86383b814ed9d6c2779c6c4a503a8672990c7950fd2b25dc71985bc549b57047a9a5acdeca387fd6749fa13b37bd7fb0aaffe79d2633358d9b8d66cea1ea0c4618c47f7fe48f4d38a0ef3e4edad22afd94c83c818747c48d6ae25fcf26c3b349c0dac9ee5b57c37433d76e8acfc03f0a8991b64bd3e96b4f8fbcb76904b530dd4b14fa33910d746541c79822d882f08f382279454ff6b1975822406f974b70e70cb14e8d8cf1e80749525dfc23c3091f947ef00673b9437a72e9b71ce9be2d38c5e5347d2c2fd29e615f94113e6eea0590ab61516df059a26e60d1b8798e95c15a63ebab39c6aa96d2dcdf55639c88354e6575dd600fd7fbe35c49771872e3b9c0d54e8efd8f2b8318577c6fa30661dc6a9da49b5ccd3770b151af83422516bd4703404c70b67b940911e5716e252b74db2582ab6ecf1aa047be34f41c1874ca66c2aad5155aa76914d903ba4d7ed2288b1cbff47070d5cc79d83ab2fad00374d8824ea0fd953a2ebca1b6b7268856ef0c5e507e1cd22264faf2da1c73db0380c91cb22eda25a21ce2c278223609bc3225555d4011936a5db1a19f23ed7fb9a08044a7b3372634b95718b53ecf659792248dc3e6dd15746267c9dfb72402174e69f65d3479ac8a190e142038a9ca01f13efd932a9069cd286f3d84c8831e7744029c3e7eb34d1841f16e6cbef3d9eed729b54d6512bb4ac631a9793d1a109b7ffbf676956dc5e514f2446daf6c46bbfac1a7583fcf1c97ff1293a40a9762ff6020c72d21e7af6aed7495b51f398d75fc9f25e57b511f47b62f00057f127bee2f99a5552f6bf4a56230aee80b24af67bade9c99350ea5d3aa92cae6769474de6860c69dfece57435d68d6128afd71529c7141d34bdc2361abc71867006c96c00094b93d1ab68cb8a6f49c2e01c9e38bae80b0a9e8620fb33d9a59811a1c325fc506a4d531df5ecc0b4cffe06a06186d5e68bcc63efafba39fabb6d7ec0282af587cee6c2f4ea099b849c6549f77631c90d02042311de4ec19d5c58d24fddaa74d062921242804cf0efff7606d5b83adbf668be17e6564e4606431de040a64c0eb886832ca56fac294288f95ad0013302feefbfcea5ea14067fea951476d997f81e00614745f91baf95ea6a4d2797168901b92189b223151d95e465e2eadcf5ed0507ac12f31fbb62a82fe65691b9ab12c850f72c52f43f088ce7a26007e086938901d1b96c43a38fbf21f3a898d065138f61551facbf5c804af186964b0043ea9afc19e53f257b77acdac89d525881b9b2617549bd9c13cf05539904a2a4ebdf2713b85cf330968d8169e03ce98ee6adae1b69955a2a52b45d387a2db4a198d35d0b76dc3c4352a5041527dfe645971bbb6cd6c78f1710584ab13d2c87a8af3d5ad925f1c56b001dedc4de7b33eba1cdca2537932c7926270a08f2b4ddd05242df41e3f18a49a2e4b792970ad6991f6e5795c5f1fdfdb6d2a6df836c9af1751aa263c207686d8ca4e8c2ee1fb116f8aae7f7320a4de1cca1a36e37f27f0e0b57b2c5a00dbd83a834347bb0542088c967885addfe3da7cc1e7c3fc3b7f89b71aad12fba4d08b1458e2dd2c1992473a032adfe84ceaa35c394b8f9619c1ec8c7671f0234749aa26e34c9a642792f23600cdcf953cef734a0de67ac32b9c5103b7a5308b46c0908f236daf3d34b4f992098c9f1a60946516b40b92fd14a8436756cb917fb567acf5f2841bf602a05caca60e87b3f339e735d0f168b862da95245a1664e3d812f5ba180a20d915acbc06397486577ab11c19fdac386d67f3e58e7f137177854891839daf6090f931563a539cdaca4d3a144839c9f25105833008fa63d3d57badb07983a6f0b297be2cbba831ca687d3e5b72f2a0040943dfd5b8ac80d790a758b9ad1bba119740cabb9ea02bf71dd87630bc9ae78515bf0fa6d9782ee0c86836eead10ea7769993b82b9d709991fe5f381cb8c579c2e73872bb6cbe320e46c9c7c5e5587e224688343551c921418be698afbf03182f892d5624106614890b46eeb297480e4e03c373702304cb4b34076049117f1e7d54db2cd52ca9999aaa124ce9e02a61acd86a1be94905ce0f37a715d74faa19c856ac2a48b4655c01607f581aea09e9df28d8862a0cf802db97fb1e432aa6d33b1134feb6a08aaa00c16bdca74e2044a4c3bf0e2406960da1add37edccd96127137c334ae3703444488e116f4ea87b2c604f69dca1b4a121405e7d1eb60e3ecac38b1239209145d41974c3ee6d51cefdfbbc7289f2954ed440d36eeb1c1dcc494cd51ddfdfbc944a36267d006ef8141105c31891adbee17b3fd848124bd77ed2be234842e4640d45b9966cdc4c0a08768e2994e6a6654b6651993aa946789c6b515c697408c048ec24e486940e4f37fc884a9b51f8b99c0f28749eebbd11388d105fb5ee51bf53485983cb8a6d83e51e017784ecc08daa81d6955480f7e9823c349f732e35169070283d14a840b19505c4185d08b54905fb0d058b3f9f852b51b98eee9c2a46000b748a104117a059aa68660cd1e4e697b510908bd47e8085016ef48f58391bfad08f727a2de050f56739b3c8dff0e1f7e847727547403011338f4ae49e36b829850963542736c02f07e070371862a517ad5eca90edec098a3c55ffa201091606c6698964f278cb8e6d328e3b58337c876e97704ac54"}) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c, &(0x7f0000002140)={0x0, 0xc5, "003eb162e65b2f7e1efcefc1e11ca5e0f4d93374cec0daa52e7c4f09a23ac2c07f82434c756c49b25432ef5d45dab97e164ca27aa54775f533bfc9798a2265be27fc55b58732e5d158716b510139188934bb8b3ae8eee6301b2e68fdbb6a4c7d2c84ac73ab92e81c8009882449d98a97a9e1f269196af6bf0b4a4107a0b8df0c5f0dc66fab34bea8ea15909883ee81b336f9c8e803266456f29d7149b428800a323f895fcfe4b00cfef2891ed7ac20c68541656b21df04d0413e7dece03c117bd855db6e5e"}, &(0x7f0000002240)=0xcd) getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(r0, 0x84, 0x1b, &(0x7f0000002280)={r1, 0x78, "6d1a3f3d02b205ba1111d5523b40c8515cfe053d67856e1e26a69f01193917721cbe9f2a1d965c91ed867c0dfeca8df896dc5556ab48065a4e63d42d31563fc5ecfd4bd9bbc8ca5809530ea47ea86d65f319dea19ce4ce801e2e20b8dbf6c857f058139d708c9fbe7a4c87efd8d31ab843b3306da10c4299"}, &(0x7f0000002300)=0x80) socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000080)) [ 314.070233] binder: 12123:12124 BC_INCREFS_DONE u0000000000000000 node 178 cookie mismatch 0000000000000001 != 0000000000000000 [ 314.082284] binder: 12123:12124 got transaction to context manager from process owning it 00:57:44 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:44 executing program 1: r0 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x0, 0x10000) setsockopt$inet6_tcp_TLS_RX(r0, 0x6, 0x2, &(0x7f0000000040), 0x4) r1 = socket(0x22, 0x2, 0x2) sendmmsg(r1, &(0x7f0000002a00)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0) [ 314.330475] binder: 12131:12132 got transaction with invalid offset (0, min 0 max 0) or object. 00:57:44 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:44 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) recvmmsg(0xffffffffffffffff, &(0x7f00000009c0)=[{{0x0, 0x0, &(0x7f0000000940), 0x0, &(0x7f0000000a00)=""/181, 0xb5}}], 0x1, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_LAPIC(0xffffffffffffffff, 0x4400ae8f, &(0x7f0000000ac0)={"55c990aa4964e82a3ec457f4c7d69681319b32c4fe546fdaa52a7f1ee7a27d5f71fb895c4bf21bf0301d2a160f646d230ecc224077896302fd1e64ad393ef24145492c44f164e53100dc89f52d25895dcd4320f649fc784145767a5224088c492511d0a5d7bb0c0176706c238dfeee9caae8811ba9d2ec92a4a340c091647ae36123d290d72c375af37957c01aa945bdb6a7a6870069350c7c2ac6b9c032e80d8150743be19fbaf9447badcc1908d174e06fd466e64e24e3c892ee52a4b31338ad67030baeffa5bfa701c1e7bfbd8fd016d87018d05ab11f9e813877bd9cdf0884cbaabe09190f95550884f8a1e6510f6bbe96f86859597bf89741aea068e55b938ebee9d9bff58478513c4b72edbf79f75431b54743ab05d3980b30b2127cf13bf94beba0828a4bb1848bc1f862fac00698e4bd2f4bde3bb35107056c4147c0ed8d7d588ba03c37b82ea384d1db706a8b46ee351812ad747d1045540a48b542996812548270c5af5d27ff72920bebd8371348c7f55a953e236ac13fe737a81bd9b61e30a5e9c526cf61862f5a0a90963c73febe3b66ab29f17b6da74b7647bcc4e527356d57fa1fe3f3dffab39df7b353eda6b839decb4484939f4fc0c84bda1c964941ccf4db1ca0d2c152fd356ac66441c8b68755d533b416d9f7999678227c7a69db08e997252dd6a38fc458d93fac9f1f14f49b7ca4a0b0c8b538d2f30c34503a0975506ae9004b3e5c3d2469cf4e03d9b79dc1499647b5b680a02bdc56c18782c48120dee663918288f068c49d85355d114cfe0c5d1405cf5e37b181f296fa7dc9af116fbe220121fe139739226eefce468f27f5d21ab51ef0e26134c5341cf13799003ceb38d4050c2ba1c9e6decc2d11a8f14a6adadd45e615106b5dd4c07093ba114ac55b4e80d1a3545ab6e8fbf796b908ecc244340fc06e4d4bd6e069b7f0232198ab067a709bcdd4d41500e5dc7032e5993f965d4603033fe61cc523937d7345df42b4f1b62c4daf64f6c29eb2f214b88680bfe19252b67719ccea37d19fe3bfb0c8ad0bd6f4a1df532ec9220269453df5144ff48f63c2ad655b8f20db01b3af95c11f4e7de2bd0a47d47b08b620589a33327bef9ee310505c1736510e88b74281f098099c753d30fcf32f31a0521e32407d689b093f24d07049682ff4662b5b94616699fd704589c0edb02cf3e622088c685564b0c166f9f3cdb12dd8a70684ac6e24570191dda2db2b1965d2397a45060f834405b81fa79204e029b7cd93333dfbef669f3e480fd071f5b87e9fdf984dfe176353ed12ea15484366548336f540a5f1e8b9e19bdeb8d71dce9ecf03d09515bc4bcf7be382176e7e12395ee0f795f76695d0d90eee181d300deb89d7098403ac76309e63f6ca3eade1ce57dcd9de56e24610ed5c470d5540e9f50d068ee8a1431bb3216ae99b18"}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000000)=[@textreal={0x8, &(0x7f0000000100)="66b91000004066b80000000066ba000000000f30baa000eddb8f05000f89ae6a660f3a22efa80f09f00fc709f20f1ab60d0066b93608000066b80000000066ba008000000f3066b9800000c00f326635000800000f30", 0x56}], 0x1, 0x0, 0x0, 0xffffffe7) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4068aea3, &(0x7f0000000200)={0x7b}) pipe(&(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$VIDIOC_G_OUTPUT(r3, 0x8004562e, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 314.645159] binder: 12139:12141 got transaction with invalid offset (0, min 0 max 24) or object. [ 314.654438] binder_transaction: 7 callbacks suppressed [ 314.654475] binder: 12139:12141 transaction failed 29201/-22, size 24-8 line 3097 00:57:44 executing program 2: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1, 0x0) setsockopt$sock_int(r1, 0x1, 0x2, &(0x7f0000000080)=0x101, 0x10000025e) r2 = socket$inet6(0xa, 0x801, 0x0) bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e20, 0x0, @ipv4={[], [], @local}}, 0x1c) bind$inet6(r2, &(0x7f0000cb8fe4)={0xa, 0x4e20, 0x0, @ipv4={[], [], @remote}}, 0x1c) setsockopt$sock_int(r2, 0x1, 0x2, &(0x7f0000000180)=0x7f, 0x4) r3 = syz_open_dev$vcsn(&(0x7f00000000c0)='/dev/vcs#\x00', 0x3, 0x200080) setsockopt$l2tp_PPPOL2TP_SO_SENDSEQ(r3, 0x111, 0x3, 0x0, 0x4) listen(r2, 0x0) [ 314.745916] binder_thread_write: 1 callbacks suppressed [ 314.745961] binder: 12139:12144 BC_INCREFS_DONE u0000000000000000 node 186 cookie mismatch 0000000000000001 != 0000000000000000 [ 314.763330] binder_transaction: 1 callbacks suppressed [ 314.763352] binder: 12139:12144 got transaction to context manager from process owning it [ 314.777180] binder: 12139:12144 transaction failed 29201/-22, size 0-0 line 2887 [ 314.792121] kvm [12140]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000007 data 0x0 [ 314.803287] kvm [12140]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000004 data 0x0 [ 314.824643] kvm [12140]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008c data 0x0 [ 314.837208] binder_release_work: 7 callbacks suppressed [ 314.837222] binder: undelivered TRANSACTION_ERROR: 29201 00:57:44 executing program 2: r0 = socket$inet6(0xa, 0x80803, 0x2) r1 = syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0x1f, 0x400a00) getsockopt$inet_sctp6_SCTP_ASSOCINFO(r0, 0x84, 0x1, &(0x7f00000000c0)={0x0, 0xfffffffffffffe00, 0x9, 0x1, 0x6, 0x81}, &(0x7f0000000100)=0x14) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f0000000140)={r2, @in={{0x2, 0x4e23, @broadcast}}, [0x335, 0x80000001, 0x7f, 0x0, 0x100000001, 0xe84, 0x1, 0xef3, 0x9, 0xffff, 0x800, 0x400, 0x665, 0x1, 0x40]}, &(0x7f0000000240)=0x100) getsockopt$IP6T_SO_GET_REVISION_MATCH(r0, 0x29, 0x44, &(0x7f0000000040)={'icmp6\x00'}, &(0x7f0000000080)=0x1e) setsockopt$IP_VS_SO_SET_ADD(r1, 0x0, 0x482, &(0x7f0000000280)={0x3c, @local, 0x4e21, 0x4, 'lc\x00', 0x20, 0x1, 0x59}, 0x2c) ioctl$DRM_IOCTL_AGP_ALLOC(r1, 0xc0206434, &(0x7f00000002c0)={0x10000, 0x0, 0x0, 0x1}) ioctl$DRM_IOCTL_AGP_BIND(r1, 0x40106436, &(0x7f0000000300)={r3, 0x7}) write$capi20_data(r1, &(0x7f0000000340)={{0x10, 0x9, 0x8f, 0x83, 0x1f, 0xfffffffffffffff7}, 0x51, "02937f9b34d064dc9b77fd1e0d714cbe95c672ba8932b0e2e864c7852ef0fa24741bc21dbd32a6ecc95b860fe4d6315decb0238f6dd956b4b5a81aa9fb9c894f6e98e8a844f9b95a521e2c713eb940231d"}, 0x63) [ 314.873437] kvm [12140]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000002c data 0x0 [ 314.897650] kvm [12140]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000002c data 0x0 [ 314.940932] kvm [12140]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000002c data 0x0 [ 314.974894] binder: undelivered TRANSACTION_ERROR: 29201 00:57:45 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 314.984302] kvm [12140]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000002c data 0x0 [ 315.048750] kvm [12140]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000002c data 0x0 [ 315.071456] kvm [12140]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000002c data 0x0 00:57:45 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 315.096572] kvm [12140]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000002c data 0x0 [ 315.108755] binder: 12154:12155 got transaction with invalid offset (0, min 0 max 24) or object. [ 315.117967] binder: 12154:12155 transaction failed 29201/-22, size 24-8 line 3097 [ 315.188928] binder: 12154:12156 BC_INCREFS_DONE u0000000000000000 node 190 cookie mismatch 0000000000000001 != 0000000000000000 [ 315.200733] binder: 12154:12156 got transaction to context manager from process owning it [ 315.209243] binder: 12154:12156 transaction failed 29201/-22, size 0-0 line 2887 [ 315.236740] binder: undelivered TRANSACTION_ERROR: 29201 [ 315.261791] binder: BINDER_SET_CONTEXT_MGR already set [ 315.267249] binder: 12158:12159 ioctl 40046207 0 returned -16 [ 315.320553] binder: 12158:12163 got transaction with invalid offset (0, min 0 max 24) or object. [ 315.329824] binder: 12158:12163 transaction failed 29201/-22, size 24-8 line 3097 [ 315.349662] binder: 12158:12159 BC_INCREFS_DONE u0000000000000000 no match [ 315.360083] binder: undelivered TRANSACTION_ERROR: 29201 00:57:45 executing program 2: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x7, &(0x7f0000000000)=0x6, 0x4) setsockopt$packet_tx_ring(r0, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) syz_emit_ethernet(0x10e, &(0x7f0000000240)={@empty, @empty=[0x89060000, 0x2c004305, 0x8906], [{[], {0x8100, 0x0, 0x5}}], {@llc_tr={0x11, {@llc={0xfe, 0xfe, "02", "2e22d06eb79c529f211a35523301b56dbf363cffd28984072ca25a9f5915c650467785b186924b7acebec47e728bf7c0c7ce1996bee1b7b0b707e3870848c909f8ccf225905f722e8697618c73aa829dc78d8f46c645f2bf9251a305694fc5db2e21a9a9606fc5069d266d01eb04c4f0dbcacf823f3d313e15686c950771a825a4617d9ac87a9d64a3c5e0547ea1196f1fbc4eba07c92837258d1a7f7ee919ca6fcc9831f653fd9b396f06e4cd8308b3f218943a92b19583f09830698cccf5c69b93a45fd66f44444da99929da727ea093420b83b26c0d45a0c73fce148215b3c89d6525b6e1d09fd7e682fb96f61a2005be67ec7ca7e2a163"}}}}}, 0x0) 00:57:45 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) recvmmsg(0xffffffffffffffff, &(0x7f00000009c0)=[{{0x0, 0x0, &(0x7f0000000940), 0x0, &(0x7f0000000a00)=""/181, 0xb5}}], 0x1, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_LAPIC(0xffffffffffffffff, 0x4400ae8f, &(0x7f0000000ac0)={"55c990aa4964e82a3ec457f4c7d69681319b32c4fe546fdaa52a7f1ee7a27d5f71fb895c4bf21bf0301d2a160f646d230ecc224077896302fd1e64ad393ef24145492c44f164e53100dc89f52d25895dcd4320f649fc784145767a5224088c492511d0a5d7bb0c0176706c238dfeee9caae8811ba9d2ec92a4a340c091647ae36123d290d72c375af37957c01aa945bdb6a7a6870069350c7c2ac6b9c032e80d8150743be19fbaf9447badcc1908d174e06fd466e64e24e3c892ee52a4b31338ad67030baeffa5bfa701c1e7bfbd8fd016d87018d05ab11f9e813877bd9cdf0884cbaabe09190f95550884f8a1e6510f6bbe96f86859597bf89741aea068e55b938ebee9d9bff58478513c4b72edbf79f75431b54743ab05d3980b30b2127cf13bf94beba0828a4bb1848bc1f862fac00698e4bd2f4bde3bb35107056c4147c0ed8d7d588ba03c37b82ea384d1db706a8b46ee351812ad747d1045540a48b542996812548270c5af5d27ff72920bebd8371348c7f55a953e236ac13fe737a81bd9b61e30a5e9c526cf61862f5a0a90963c73febe3b66ab29f17b6da74b7647bcc4e527356d57fa1fe3f3dffab39df7b353eda6b839decb4484939f4fc0c84bda1c964941ccf4db1ca0d2c152fd356ac66441c8b68755d533b416d9f7999678227c7a69db08e997252dd6a38fc458d93fac9f1f14f49b7ca4a0b0c8b538d2f30c34503a0975506ae9004b3e5c3d2469cf4e03d9b79dc1499647b5b680a02bdc56c18782c48120dee663918288f068c49d85355d114cfe0c5d1405cf5e37b181f296fa7dc9af116fbe220121fe139739226eefce468f27f5d21ab51ef0e26134c5341cf13799003ceb38d4050c2ba1c9e6decc2d11a8f14a6adadd45e615106b5dd4c07093ba114ac55b4e80d1a3545ab6e8fbf796b908ecc244340fc06e4d4bd6e069b7f0232198ab067a709bcdd4d41500e5dc7032e5993f965d4603033fe61cc523937d7345df42b4f1b62c4daf64f6c29eb2f214b88680bfe19252b67719ccea37d19fe3bfb0c8ad0bd6f4a1df532ec9220269453df5144ff48f63c2ad655b8f20db01b3af95c11f4e7de2bd0a47d47b08b620589a33327bef9ee310505c1736510e88b74281f098099c753d30fcf32f31a0521e32407d689b093f24d07049682ff4662b5b94616699fd704589c0edb02cf3e622088c685564b0c166f9f3cdb12dd8a70684ac6e24570191dda2db2b1965d2397a45060f834405b81fa79204e029b7cd93333dfbef669f3e480fd071f5b87e9fdf984dfe176353ed12ea15484366548336f540a5f1e8b9e19bdeb8d71dce9ecf03d09515bc4bcf7be382176e7e12395ee0f795f76695d0d90eee181d300deb89d7098403ac76309e63f6ca3eade1ce57dcd9de56e24610ed5c470d5540e9f50d068ee8a1431bb3216ae99b18"}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000000)=[@textreal={0x8, &(0x7f0000000100)="66b91000004066b80000000066ba000000000f30baa000eddb8f05000f89ae6a660f3a22efa80f09f00fc709f20f1ab60d0066b93608000066b80000000066ba008000000f3066b9800000c00f326635000800000f30", 0x56}], 0x1, 0x0, 0x0, 0xffffffe7) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4068aea3, &(0x7f0000000200)={0x7b}) pipe(&(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$VIDIOC_G_OUTPUT(r3, 0x8004562e, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:57:45 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 315.422989] binder: release 12158:12159 transaction 196 out, still active [ 315.430082] binder: undelivered TRANSACTION_COMPLETE [ 315.492359] binder: undelivered TRANSACTION_ERROR: 29201 [ 315.497916] binder: send failed reply for transaction 196, target dead [ 315.604415] binder: 12169:12172 got transaction with invalid offset (0, min 0 max 24) or object. [ 315.613798] binder: 12169:12172 transaction failed 29201/-22, size 24-8 line 3097 [ 315.629011] binder: 12169:12172 BC_INCREFS_DONE u0000000000000000 node 197 cookie mismatch 0000000000000001 != 0000000000000000 [ 315.641203] binder: 12169:12172 got transaction to context manager from process owning it [ 315.649747] binder: 12169:12172 transaction failed 29201/-22, size 0-0 line 2887 [ 315.665096] binder: undelivered TRANSACTION_ERROR: 29201 00:57:45 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 315.760989] binder: undelivered TRANSACTION_ERROR: 29201 00:57:46 executing program 2: syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x10800) r0 = syz_open_dev$usb(&(0x7f0000000040)='/dev/bus/usb/00#/00#\x00', 0x1fe, 0x203) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000005c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_SET_CPUID(r0, 0x802c550a, &(0x7f0000000080)={0x2, 0x6800, [{0x0, 0x400a00, 0x7ff0bdbe}]}) dup2(r1, r0) [ 315.904894] binder: 12175:12177 BC_INCREFS_DONE u0000000000000000 node 201 cookie mismatch 0000000000000001 != 0000000000000000 [ 315.916752] binder: 12175:12177 got transaction to context manager from process owning it [ 315.925270] binder: 12175:12177 transaction failed 29201/-22, size 0-0 line 2887 [ 315.937030] binder: release 12175:12177 transaction 202 out, still active [ 315.945173] binder: undelivered TRANSACTION_COMPLETE 00:57:46 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:46 executing program 1: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = request_key(&(0x7f0000000000)='.request_key_auth\x00', &(0x7f0000000040)={'syz', 0x2}, &(0x7f0000000080)='ip6erspan0\x00', 0xfffffffffffffffe) keyctl$setperm(0x5, r1, 0x100000) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000340)=@setlink={0x3c, 0x13, 0x201, 0x0, 0x0, {}, [@IFLA_IFNAME={0x14, 0x3, 'ip6erspan0\x00'}, @IFLA_MTU={0x8}]}, 0x3c}}, 0x0) r2 = socket(0x10, 0x80002, 0x0) sendmmsg$alg(r2, &(0x7f0000000140)=[{0x0, 0x0, &(0x7f0000000100), 0x0, &(0x7f0000000100)}], 0x492492492492805, 0x0) [ 316.059986] binder: undelivered TRANSACTION_ERROR: 29201 [ 316.065932] binder: send failed reply for transaction 202, target dead 00:57:46 executing program 2: r0 = openat$vim2m(0xffffffffffffff9c, &(0x7f0000000380)='/dev/video35\x00', 0x2, 0x0) ioctl$VIDIOC_TRY_FMT(r0, 0xc0d05640, &(0x7f0000000280)={0x1, @raw_data="8a72c3b61e5485960936c985402bf106c5f51f21482fa0f603c99b9afecaedfe3a443455bcf85512218fd3e52407afc91848cc343bb9937bab07361fca37b98c9e6fff1995bc0ac318e121ea1489e076a10665cc63f6d7e7f2d7b46e54630d892a6a75aa8ace885e49c8628eda8253262a22e041300c0f9833aede5c5a4c43e9699e0aa790e75d6f78a903bcade7d5971139249dfc6971e032a0e727c0de64da7165813d8df56f83ef01fbf9dfaf3a95e1f7142fd28b550de888e11cf5a79859fd6e11e171bcbd38"}) ioctl$VIDIOC_SUBDEV_G_FMT(r0, 0xc0585604, &(0x7f0000000140)={0x1, 0x0, {0xf8, 0x80000000, 0x200f, 0x2, 0xf, 0x0, 0x1, 0x2}}) ioctl$VIDIOC_CREATE_BUFS(r0, 0xc100565c, &(0x7f0000000040)={0x700000000000000, 0xa73b, 0x5, {0x7, @sliced={0x5, [0xd1b, 0x1ff, 0xb7a, 0xfffffffffffffff5, 0x0, 0x80000001, 0x80, 0x1000, 0x9, 0x8, 0x20, 0x6, 0x1f, 0x401, 0xffffffff, 0x3, 0xbbe, 0x1, 0x0, 0xe5d, 0x1f, 0x1ac, 0x6, 0x7, 0x40, 0x4, 0x80000000, 0x34, 0x40, 0x1, 0x0, 0xd0, 0x25f2, 0x4, 0x6, 0x6, 0x8aaa, 0x5, 0x1, 0x7fffffff, 0x1, 0x7f, 0x2, 0xff, 0x1, 0x572, 0x8, 0x4], 0xfff}}}) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x2, 0x0) openat$nullb(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/nullb0\x00', 0x20000, 0x0) [ 316.225050] binder: 12184:12186 BC_INCREFS_DONE u0000000000000000 node 205 cookie mismatch 0000000000000001 != 0000000000000000 [ 316.237002] binder: 12184:12186 got transaction to context manager from process owning it [ 316.245621] binder: 12184:12186 transaction failed 29201/-22, size 0-0 line 2887 00:57:46 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}, 0x0, 0x0, 0x6}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x2, 0x2, 0x0) perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$inet(0x2, 0x4000000000000001, 0x0) r2 = socket$inet(0x2, 0x3, 0x2) r3 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000100)='/dev/mixer\x00', 0x400000, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_MAX_SIZE(r3, 0x28, 0x2, &(0x7f0000000300)=0x43c5bd4b, 0x8) setsockopt$inet6_MRT6_ADD_MIF(0xffffffffffffffff, 0x29, 0xca, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x68e4}, 0xc) setsockopt$inet_int(r2, 0x0, 0xca, &(0x7f0000000000)=0x10001, 0x10) setsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f00000001c0)={{{@in6, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0xa}}, {{@in6=@mcast1, 0x0, 0x2b}}}, 0x1ce) ioctl$SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(r3, 0xc0045516, &(0x7f0000000340)=0x4) r4 = signalfd(r1, &(0x7f0000000040)={0x7}, 0x8) syz_open_dev$rtc(&(0x7f0000000580)='/dev/rtc#\x00', 0x4, 0x40000) setsockopt$IP_VS_SO_SET_FLUSH(r1, 0x0, 0x11, 0x0, 0x0) r5 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcs\x00', 0x80000, 0x0) setsockopt$IP_VS_SO_SET_DEL(r2, 0x0, 0x484, &(0x7f00000003c0)={0x8, @multicast2, 0x4e23, 0x0, 'lblcr\x00', 0x2, 0x99, 0x31}, 0x2c) getsockopt$IP_VS_SO_GET_DESTS(r0, 0x0, 0x484, &(0x7f0000000500)=""/119, &(0x7f0000000140)=0x77) lremovexattr(&(0x7f00000002c0)='./file0\x00', &(0x7f0000000600)=ANY=[@ANYBLOB="6f737816693a5e707217f700000a0cda7b1931f052d9d2c41bf137"]) setsockopt$IP_VS_SO_SET_STARTDAEMON(r2, 0x0, 0x48b, &(0x7f0000000380)={0x2, 'gretap0\x00'}, 0x18) ioctl$TIOCCBRK(r4, 0x5428) r6 = msgget(0x3, 0x1) msgsnd(r6, &(0x7f0000000400)={0x2, "97f23ea5b830e70f14ef887913e7c903943f2a6c7a54850a469262ed1147b009e7825e6d3cfcc81256595126083e9505efba953fb62a3ef9f4ecf80fa0bddf99d957b11c4db502209e431a127a225d5918c283c2551ffb5e67048d465046c188d4f26a492d2e742e82fb03a66c711f1b472b999cde1cbc17a3044fe05b0e2765a21a80e57b80a6b9899087b2b63774281048d23c1ba49d773b409315e24271"}, 0xa7, 0x800) setsockopt$inet_int(r0, 0x0, 0x12, &(0x7f0000000000)=0x24, 0x4) ioctl$SCSI_IOCTL_GET_BUS_NUMBER(r5, 0x5386, &(0x7f00000005c0)) bind(r0, &(0x7f0000000080)=@in={0x2, 0x4e20}, 0x7c) sendto$inet(r0, &(0x7f0000000200), 0x0, 0x0, &(0x7f0000000280)={0x2, 0x2000000008004e20}, 0x10) recvmmsg(r0, &(0x7f00000004c0)=[{{&(0x7f0000000400)=@ethernet={0x0, @dev}, 0x0, &(0x7f0000000480)}}], 0x6fdaec, 0x22, 0x0) [ 316.314631] binder: release 12184:12186 transaction 206 out, still active [ 316.321696] binder: undelivered TRANSACTION_COMPLETE 00:57:46 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) r3 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/autofs\x00', 0x400, 0x0) r4 = syz_open_dev$dspn(&(0x7f00000000c0)='/dev/dsp#\x00', 0x5, 0x80) ioctl$sock_bt_bnep_BNEPCONNADD(r3, 0x400442c8, &(0x7f00000001c0)={r4, 0x2, 0x4, "f45a58c2c6f2d2b5b2429a4c602a3b5b17fc7ab455d95df6a4debd2550490b0213fd168c21f9d5aa71cb7112d0e01adc7ab82a9dca87deab713aa6eeac1f4a8828d8e849ad66bc0f0d439c5ced282aa87260a229b01c7a40f7e40a45068f7826982dff1669d7f22b9074376154d456ac27312b1fd232a25327c4196bd41a4f1c7394b99e"}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffd9c) ioctl$VIDIOC_ENUMSTD(0xffffffffffffffff, 0xc0485619, &(0x7f0000000080)={0x0, 0x0, "86f2c403869f8b597e663a8ee80d98940c797b6585e82ca3"}) openat$rtc(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rtc0\x00', 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:57:46 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 316.475089] binder: undelivered TRANSACTION_ERROR: 29201 [ 316.480711] binder: send failed reply for transaction 206, target dead [ 316.513646] IPVS: set_ctl: invalid protocol: 8 224.0.0.2:20003 [ 316.537354] IPVS: length: 119 != 24 [ 316.563843] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 316.589783] IPVS: sync thread started: state = BACKUP, mcast_ifn = gretap0, syncid = 0, id = 0 [ 316.613258] IPVS: set_ctl: invalid protocol: 8 224.0.0.2:20003 [ 316.620109] IPVS: length: 119 != 24 [ 316.634108] binder: 12202:12204 BC_INCREFS_DONE u0000000000000000 node 209 cookie mismatch 0000000000000001 != 0000000000000000 [ 316.645969] binder: 12202:12204 got transaction to context manager from process owning it [ 316.654507] binder: 12202:12204 transaction failed 29201/-22, size 0-0 line 2887 00:57:46 executing program 3: chdir(&(0x7f0000000000)='./file0\x00') r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/vs/drop_packet\x00', 0x2, 0x0) r1 = accept$unix(r0, 0x0, &(0x7f0000000080)) fsetxattr$security_selinux(r0, &(0x7f00000000c0)='security.selinux\x00', &(0x7f0000000100)='system_u:object_r:semanage_exec_t:s0\x00', 0x25, 0x2) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000140)=0x0) r3 = syz_open_procfs(r2, &(0x7f0000000180)='coredump_filter\x00') ioctl$VT_RELDISP(r1, 0x5605) ioctl$RNDGETENTCNT(r3, 0x80045200, &(0x7f00000001c0)) lseek(r1, 0x0, 0x1) r4 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer\x00', 0x80080, 0x0) ioctl$KVM_GET_CPUID2(r3, 0xc008ae91, &(0x7f0000000240)={0x4, 0x0, [{}, {}, {}, {}]}) getsockopt$inet6_buf(r4, 0x29, 0xfe, &(0x7f0000000300)=""/66, &(0x7f0000000380)=0x42) setsockopt$TIPC_MCAST_BROADCAST(r0, 0x10f, 0x85) ioctl$KDGETLED(r3, 0x4b31, &(0x7f00000003c0)) ppoll(&(0x7f0000000400), 0x0, &(0x7f0000000440)={0x0, 0x989680}, &(0x7f0000000480)={0x1}, 0x8) r5 = openat(r4, &(0x7f00000004c0)='./file0/file0\x00', 0x2, 0x80) setsockopt$inet6_icmp_ICMP_FILTER(r0, 0x1, 0x1, &(0x7f0000000500)={0x8}, 0x4) write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f00000005c0)={0x0, 0x18, 0xfa00, {0x3, &(0x7f0000000580)={0xffffffffffffffff}, 0x117, 0xf}}, 0x20) write$RDMA_USER_CM_CMD_JOIN_MCAST(r3, &(0x7f0000000600)={0x16, 0x98, 0xfa00, {&(0x7f0000000540), 0x2, r6, 0x0, 0x0, @ib={0x1b, 0x9, 0x7ff, {"ef08996ce69054b4159a838aad9508a4"}, 0x80, 0x1000, 0x400}}}, 0xa0) r7 = openat$rtc(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/rtc0\x00', 0x8000, 0x0) ioctl$PPPIOCSMAXCID(r7, 0x40047451, &(0x7f0000000700)=0x723c) r8 = semget$private(0x0, 0x3, 0x322) semctl$IPC_INFO(r8, 0x0, 0x3, &(0x7f0000000740)=""/211) connect$inet(r0, &(0x7f0000000840)={0x2, 0x4e21, @multicast2}, 0x10) ioctl$SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT(r5, 0x40505331, &(0x7f0000000880)={{0x6, 0x8}, {0x8, 0x8}, 0x2, 0x6, 0x5}) connect$inet(r7, &(0x7f0000000900)={0x2, 0x4e23, @rand_addr=0x3}, 0x10) ioctl$KVM_CREATE_PIT2(r0, 0x4040ae77, &(0x7f0000000940)={0x80000001}) ioctl$KVM_ASSIGN_SET_MSIX_NR(r3, 0x4008ae73, &(0x7f0000000980)={0x0, 0x1000}) ioctl$FIGETBSZ(r5, 0x2, &(0x7f00000009c0)) ioctl$CAPI_NCCI_GETUNIT(r4, 0x80044327, &(0x7f0000000a00)=0x4) [ 316.665258] binder: release 12202:12204 transaction 210 out, still active [ 316.672350] binder: undelivered TRANSACTION_COMPLETE 00:57:46 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:46 executing program 1: r0 = socket(0xa, 0x2, 0x0) getsockopt$inet_sctp_SCTP_EVENTS(r0, 0x84, 0xb, &(0x7f0000000000), &(0x7f0000000100)=0xb) setsockopt$EBT_SO_SET_ENTRIES(r0, 0x0, 0x80, &(0x7f0000000040)=@nat={'nat\x00', 0x3c1, 0x1, 0x188, [0x20000600], 0x0, &(0x7f00000000c0), &(0x7f0000000600)=ANY=[@ANYBLOB="00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0100000003000000000000000000697036677265300000000000000000006c6f00000000000000000000000000006272696467653000000000000000000067726530000000000000000000000000aaaaaaaaaa000000000000000180c2000000000000000000001070000000a8000000f80000006172707265706c790000000000000000000000000000000000000000000000001000000000000000aaaaaaaaaabb0000000000000000000049444c4554494d4552000000000000000000000000000000000000000000000028000000000000000000000073797a30000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff00000000"]}, 0x200) [ 316.774374] binder: undelivered TRANSACTION_ERROR: 29201 [ 316.779923] binder: send failed reply for transaction 210, target dead 00:57:47 executing program 2: keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='load user:{ 0128 '], 0x1, 0x0) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180)={'syz'}, &(0x7f0000000100), 0x1f1, 0xfffffffffffffffe) r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x0, 0x0) ioctl$sock_SIOCGIFBR(r0, 0x8940, &(0x7f0000000080)=@add_del={0x2, &(0x7f0000000040)='eql\x00'}) [ 316.965849] binder: 12210:12211 BC_INCREFS_DONE u0000000000000000 node 213 cookie mismatch 0000000000000001 != 0000000000000000 [ 316.977765] binder: 12210:12211 got transaction to context manager from process owning it [ 317.045971] binder: release 12210:12211 transaction 214 out, still active [ 317.053093] binder: undelivered TRANSACTION_COMPLETE 00:57:47 executing program 1: capset(&(0x7f0000000200)={0x20071026}, &(0x7f0000000080)) r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000e11ff0)=[{&(0x7f0000000140)="580000001400192340834b80040d8c560a067fffffff81004e220000000058000b4824ca945f64008000f0fffeffe809000000fff5dd0000000a0001000a0a0c00410400000000fcff000000000000000000000000000000", 0x58}], 0x1) r1 = fcntl$getown(r0, 0x9) sched_setattr(r1, &(0x7f0000000000)={0x30, 0x3, 0x1, 0x3ff, 0x3, 0x7, 0xfff, 0x4}, 0x0) openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/loop-control\x00', 0x10800, 0x0) 00:57:47 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:47 executing program 2: r0 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control\x00', 0x80400, 0x0) write$uinput_user_dev(r0, &(0x7f0000000140)={'syz1\x00', {0x7, 0x7, 0x70d6, 0x2000000000000}, 0x21, [0x8, 0x10001, 0x5, 0x6, 0x8000, 0xbe6, 0x40, 0x16, 0xfffffffffffff5e6, 0xcc, 0x10000, 0x9, 0x1374314d, 0x80000001, 0x9, 0x101, 0x7, 0x5, 0x1, 0xffffffff00000001, 0x80, 0x101, 0xa000000, 0x0, 0x7, 0x8333, 0xffffffffffffff14, 0xffffffff, 0x6, 0x3, 0x7, 0x2, 0x7, 0x9912, 0x6, 0x7fff, 0x2, 0x2, 0x7000000000000, 0x8, 0x1ff, 0x6cf, 0x408000000000000, 0xda17, 0xff, 0xff, 0x5, 0xffffffffffffffec, 0x1, 0x4, 0x8, 0x2, 0x0, 0x0, 0xfffffffffffffffe, 0x207000000, 0x1, 0x800, 0x2, 0x7, 0x8000, 0xfffffffffffffffd, 0x9, 0x400], [0x80, 0xff, 0x7f, 0x9, 0x3, 0xfff, 0x1, 0x4, 0x5, 0x1, 0x8, 0x8, 0x9a1b, 0x5, 0x7, 0x9, 0xcd0, 0x400, 0x9, 0x1, 0x7, 0x100, 0x7, 0x306a, 0x8000, 0xfffffffffffff800, 0x10001, 0x10001, 0x26c0, 0xffffffffffffa5fe, 0x7, 0x1000000000000000, 0x2, 0x0, 0x100000000, 0x9, 0x8, 0x7fddb369, 0x0, 0xffffffffffffff01, 0x0, 0xe61, 0x6a, 0x2, 0x20, 0x4, 0x1, 0x8, 0x6, 0x793, 0x9, 0x9, 0x0, 0x2, 0x20, 0x8, 0xffffffff, 0x8, 0x200, 0x7ff0000000, 0x11, 0x2], [0x5, 0x3, 0x7c2c, 0x5fe, 0x1, 0x8, 0xffffffff00000001, 0x7, 0x0, 0x0, 0xa6, 0x59, 0x6e, 0x1, 0x3, 0x7, 0x2, 0x1, 0x3dd0a640, 0x80, 0x101, 0x0, 0x4, 0x6d03, 0x6, 0x2, 0x1f, 0x6, 0xfffffffffffffffb, 0x400, 0x7fff, 0xb3a7, 0x1, 0x4, 0xfffffffffffffffa, 0x8, 0x9, 0x1, 0x200, 0x1, 0x4f6, 0x8, 0x7bf5, 0x80000001, 0xfffffffffffffff9, 0x6, 0x9, 0x5, 0x80, 0xfff, 0x3d200000000000, 0x7ff, 0x6, 0x45, 0x7fff, 0x5fe, 0x200, 0x5, 0x3, 0xfffffffeffffffff, 0xfff, 0x8, 0x1, 0x9], [0x8000, 0xffffffff80000001, 0x1ff, 0x80, 0x7, 0x1000, 0x4, 0x3, 0xfff, 0x1ff, 0x82, 0xfffffffffffff95d, 0x0, 0x7, 0x9, 0x42, 0x7ff, 0x8, 0x1a1, 0x7fffffff, 0x20, 0x100, 0x2, 0x4, 0x4, 0x1, 0x4, 0xba, 0x8000, 0x3b7, 0x7, 0x24000000000000, 0x5b05, 0x2, 0xfffffffffffffffe, 0xdf, 0x3fffc0000, 0x78ef, 0x5b3, 0x8000, 0x7, 0x6, 0x65d2accb, 0x7ff, 0x3, 0x8, 0x8, 0x80000001, 0x40, 0x7, 0x7, 0x9f, 0x1000, 0x400, 0x1, 0x0, 0x7f, 0xfffffffffffffc01, 0x9, 0x8, 0x782, 0x1, 0x3, 0x1]}, 0x45c) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, 0x0, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)={0x2c, 0x1d, 0xfffffffffffffffd, 0x0, 0x0, {0x7592da15}, [@nested={0x18, 0x2a, [@typed={0x900, 0x0, @ipv6=@mcast2={0xff, 0xe}}]}]}, 0x2c}}, 0x0) ioctl$SNDRV_CTL_IOCTL_TLV_COMMAND(r0, 0xc008551c, &(0x7f0000000080)={0x0, 0x20, [0x8, 0x4, 0x3, 0x9, 0x730, 0x57000, 0x7f, 0x8]}) [ 317.232718] binder: send failed reply for transaction 214, target dead [ 317.326524] capability: warning: `syz-executor.1' uses deprecated v2 capabilities in a way that may be insecure [ 317.363853] binder: 12220:12221 BC_INCREFS_DONE u0000000000000000 node 217 cookie mismatch 0000000000000001 != 0000000000000000 [ 317.375764] binder: 12220:12221 got transaction to context manager from process owning it [ 317.434061] binder: release 12220:12221 transaction 218 out, still active [ 317.441069] binder: undelivered TRANSACTION_COMPLETE 00:57:47 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:47 executing program 2: ioctl$TIOCSSOFTCAR(0xffffffffffffffff, 0x40096100, &(0x7f0000000040)=0xffffffffffffffff) [ 317.535533] binder: send failed reply for transaction 218, target dead 00:57:47 executing program 1: capset(&(0x7f0000000200)={0x20071026}, &(0x7f0000000080)) r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000e11ff0)=[{&(0x7f0000000140)="580000001400192340834b80040d8c560a067fffffff81004e220000000058000b4824ca945f64008000f0fffeffe809000000fff5dd0000000a0001000a0a0c00410400000000fcff000000000000000000000000000000", 0x58}], 0x1) r1 = fcntl$getown(r0, 0x9) sched_setattr(r1, &(0x7f0000000000)={0x30, 0x3, 0x1, 0x3ff, 0x3, 0x7, 0xfff, 0x4}, 0x0) openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/loop-control\x00', 0x10800, 0x0) [ 317.656429] binder: 12231:12234 BC_INCREFS_DONE u0000000000000000 node 221 cookie mismatch 0000000000000001 != 0000000000000000 [ 317.668387] binder: 12231:12234 got transaction to context manager from process owning it [ 317.737086] binder: release 12231:12234 transaction 222 out, still active [ 317.744185] binder: undelivered TRANSACTION_COMPLETE 00:57:47 executing program 2: r0 = memfd_create(&(0x7f00000000c0)='\xc8\x00\x04\x00\x00', 0x4) write(r0, &(0x7f0000000080)=')', 0x1) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x4, 0x11, r0, 0x0) fsetxattr$trusted_overlay_redirect(r0, &(0x7f0000000000)='trusted.overlay.redirect\x00', &(0x7f0000000100)='./file1\x00', 0x8, 0x3) ftruncate(r0, 0xa00002) sendfile(r0, r0, &(0x7f0000000040), 0xff8) quotactl(0x2080000201, &(0x7f0000000280)='./file1\x00', 0x0, &(0x7f0000000180)="a317e9f12e23234f3df193a8113dd840f9463668237cc86a14c429847f2c9465a22632aa8fabb22d413847c65009e2cf8677b49ded3fd1d833ffed3674da1e7e6cc77140f17b199adcf9ff3bd66a27e1b34df80a3003ac9a176b63a05eb76adf16d5a470a6f6ca73811d7f4124a160341f81774ac4431f4fba5e5af28bcc706781") 00:57:47 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x0, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 317.871141] IPVS: ftp: loaded support on port[0] = 21 [ 317.873743] binder: send failed reply for transaction 222, target dead [ 317.964836] binder: 12243:12244 BC_INCREFS_DONE u0000000000000000 node 225 cookie mismatch 0000000000000001 != 0000000000000000 [ 317.976679] binder: 12243:12244 got transaction to context manager from process owning it [ 318.113469] binder: release 12243:12244 transaction 226 out, still active [ 318.120442] binder: unexpected work type, 4, not freed [ 318.125823] binder: undelivered TRANSACTION_COMPLETE [ 318.203763] binder: send failed reply for transaction 226, target dead [ 318.306444] chnl_net:caif_netlink_parms(): no params data found [ 318.375385] bridge0: port 1(bridge_slave_0) entered blocking state [ 318.381861] bridge0: port 1(bridge_slave_0) entered disabled state [ 318.390363] device bridge_slave_0 entered promiscuous mode [ 318.400427] bridge0: port 2(bridge_slave_1) entered blocking state [ 318.407013] bridge0: port 2(bridge_slave_1) entered disabled state [ 318.415496] device bridge_slave_1 entered promiscuous mode [ 318.451132] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 318.462744] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 318.494385] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 318.503054] team0: Port device team_slave_0 added [ 318.510101] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 318.519055] team0: Port device team_slave_1 added [ 318.526120] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 318.534672] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 318.709104] device hsr_slave_0 entered promiscuous mode [ 318.852757] device hsr_slave_1 entered promiscuous mode [ 318.973565] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 318.981196] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 319.017767] bridge0: port 2(bridge_slave_1) entered blocking state [ 319.024357] bridge0: port 2(bridge_slave_1) entered forwarding state [ 319.031470] bridge0: port 1(bridge_slave_0) entered blocking state [ 319.038109] bridge0: port 1(bridge_slave_0) entered forwarding state [ 319.141149] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 319.149486] 8021q: adding VLAN 0 to HW filter on device bond0 [ 319.165785] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 319.181084] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 319.191762] bridge0: port 1(bridge_slave_0) entered disabled state [ 319.204187] bridge0: port 2(bridge_slave_1) entered disabled state [ 319.218826] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 319.236458] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 319.242671] 8021q: adding VLAN 0 to HW filter on device team0 [ 319.265997] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 319.274648] bridge0: port 1(bridge_slave_0) entered blocking state [ 319.281163] bridge0: port 1(bridge_slave_0) entered forwarding state [ 319.300346] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 319.315619] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 319.326716] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 319.335654] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 319.344392] bridge0: port 2(bridge_slave_1) entered blocking state [ 319.350869] bridge0: port 2(bridge_slave_1) entered forwarding state [ 319.359469] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 319.374415] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 319.382834] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 319.398612] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 319.405740] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 319.414953] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 319.427950] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 319.441115] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 319.448367] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 319.457911] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 319.473523] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 319.483158] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 319.491656] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 319.503871] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 319.513551] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 319.522242] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 319.534601] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 319.540713] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 319.569505] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 319.593678] 8021q: adding VLAN 0 to HW filter on device batadv0 00:57:49 executing program 3: r0 = syz_open_dev$loop(&(0x7f00000000c0)='/dev/loop#\x00', 0x0, 0x182) r1 = memfd_create(&(0x7f0000000100)='t\bnu\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x00', 0x0) pwritev(r1, &(0x7f0000000340)=[{&(0x7f0000000040)='\'', 0x1}], 0x1, 0x81805) ioctl$LOOP_CHANGE_FD(r0, 0x4c00, r1) ioctl$LOOP_SET_CAPACITY(r0, 0x4c07) exit(0x3) 00:57:49 executing program 1: r0 = getpid() ptrace$getsig(0x4202, r0, 0x0, &(0x7f0000000000)) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc0\x00', 0x210000, 0x0) ioctl$BLKRAGET(r2, 0x1263, &(0x7f00000001c0)) getsockopt$inet_tcp_int(r1, 0x6, 0x22, 0x0, &(0x7f0000000180)) r3 = socket$netlink(0x10, 0x3, 0x0) r4 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100)='TIPCv2\x00') sendmsg$TIPC_NL_MON_SET(r3, &(0x7f00000003c0)={&(0x7f00000000c0), 0xc, &(0x7f0000000140)={&(0x7f0000000400)=ANY=[@ANYBLOB="0078040afee1a6825b9e7fb93903910b37f7d84d5cf7eb2f3718a6d216901896502465640b7108ef52964adb5a121bf324e0b9388627201bbd1fa2efb2f0f0559b03ae9ea15ad5febf3fd0798256f153fb0a83c7ef7e0a4d2269b1779946f6d3a56166", @ANYRES16=r4, @ANYBLOB="04072cbd7000ffdbdf2511000000340101000800030000800000080003007257000044000200080004000500000008000100040000000800020009000000080001001a00000008000200030000000800020002000000080004000300000008000400040000001000010069623a726f7365300000000044000200080004000900000008000300020000000800040000000100080001000100000008000100180000000800020009000000080003008100000008000400040000002c0004001400010002004e237f00000100000000000000001400020002004e22ac1414aa0000000000000000100001007564703a73797a310000000044000400200001000a004e220000d6bdff02000000000000000000000000000102000000200002000a004e2300000008ff0100000000000000000000000000010300000008000300000001002400020008000100a30000000800020004000000080001000100008008000100050000004c000500040002004400020008000200000000800800020000000100080001001f000000080003000900000008000400e700000008000100060000000800030000000000080001001600000028000600080001000000000004000200040002000800010043de0000040002000400020004000200"], 0x1e0}, 0x1, 0x0, 0x0, 0x24040850}, 0x20000800) 00:57:49 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = add_key(&(0x7f0000000000)='big_key\x00', &(0x7f0000000040)={'syz', 0x1}, &(0x7f00000000c0)="e121ac0430ed42f147525d1f", 0xc, 0xfffffffffffffffd) r3 = add_key(&(0x7f0000000100)='id_resolver\x00', &(0x7f0000000180)={'syz', 0x0}, &(0x7f00000001c0)="5a62e5f8941f30f9d275022a0a6d35fcfd5ef8d2825385a4ee4171cd509398085f13fd7749c8ebc5242c9bd8a6743de507b9711db7cdb528468611b5c823a2951a761e48e140706c734c815273b22efd3d36f92c2e62d758ee4152060a6e909aadf71dc43b77783a0808a9b6fa6c40bbc145b7d9a7acf1ea324ea17e5ec30eb18959cc6789004c553e8c4de3d353fc9c0284dca26c6fb0d44e7da1701a3e2ae84eac5701bfaaf3d464950225a00583b5ee53316f21500a97771b1b6a758641d54d9e70bb57ce72c8f4755bae389569cc6e59f7f3d26b03b450390520f0c7e1b8c2d6ba53d2932a10dc6864de3da10c2631da0436ccdfe319d5f688b1caf57eefa593e31e6e2c319e02494fd06a3398dfd82831ab0828556665cbd0cf3d28ede3ed40d698d0d6813deeca5eedcf1866f005b20098d814c51e3858893ef08f656b092a08af0f4a75c7661fc70afbfe8bc512e2e1320c0ac4ef9908b22378a65dbda9ef633a6576292762d110d97ebf0c7ed97ecf50c328aeed142686167d6bad3236dae094d2a7e8c755592f55cb56cd3fb535f3e4d3eda0aa0ca96c64b977c4a293cdf75dc0ecb1d575afb2c1f29289ee2c6dfc1260199c7fa0d4fd84d8ed823fc0491e5211cda106a09c647deb92fe5807f43f2b6c7126db12f5a0ed891385be8a3ff30f961e0545c047975cacf86ca2cf5c7a20e12d720ec9136e5bee486a5461326dc081de74b74d843567f57b4232a908e6f3c7368de28f91d50421d7f27b9dfb6a8ae2bde5df009c7a711fff0c6dcef583532ffd28157d4e5824cfbc83831e12932244dc44b26029a0dc9b10634995d1619d3a2639276011af1e6770bfe628f8da75523c0497659b33bd90ada25a1ca1c2e68eea1a1768d39f616c16c76c91d6f61918afedd219afff2d8aba51b4eca8f8976188d02f4d670ff8786eece8b5d37dd524435a14f78dfbdf16e87501d88cf926c09745a016c8b5bd30832c36e64932378ad853a5874a8af7f119a843857823c5fe02b8d354421ac240fa4487b1d35cc92bb8c6646860d9734185af874367e2607f46f253c362b8b19bd6e1ba4f275d39cbd401d6a4cc380e6071fe59a792a28f108c76ebd268efabee375190d01ac33ec239ff8158ea3f0e9a8ba461d495ee3cf5e671351905bd6b3801b7cf43884856e7590d047ee22d95c5dce3b55d2349600127f51aa9e9db6bd11aff09dd79efd0c96cc53b71afe21a52ff50970e5aa3e29da7a26962366b70e57d90909bf33992bd0f2709e2c6c16e79d307cd1e926fcf2ddecd262ba3eef0bdef265adef55707e2d74f364e15710af70433ffcb97068adfe933f41da9b1738573a51ff13cc75f9de9bfa77127a1337c3c0105b5b599f66038c568cc0d6007639e4cdf1e650cf56ce7ca0d2d8497e6190e39f9bda5b82fb6cc63d30dd4c492eb062842553bc4a34c301c68037523aa4324c40d284b3abd536853a2aaa15011fbe3b1bfa2c5e4b45cb192178836e6db3dec905885104530afe9141177f8d8c9211f4a2ea1c8a4845bfb2c317db0626963a4a3872bbea929835967d618ed3d1bde303045e8cbe3cb3e76de429fdf50d1e6144ca911c36db607574e54cc46b404f1457bed9279e4869f8287a306dda78a6ff2eb5f851e47688fe525a4583aeb912bfd5626dfb2b4b3ab72912e50cb7f89002138bc2b4092922e1cffb048fe33d97bb6ea5cf7a50c58c7e480988f5066422128cec2c0b3225549b801277a10880e4a43a992dcabcfb2a54e0adf18cb3bebc2b452388717fd6d7e3c1618753c7c105406f7efcd3b7adc7210e15a6108b3db7a610701cf4f61853b91d03230b833532d705aab565b83c496a70ddaed3598422ba4273737c58ae3b61585e65aa2f827d58173422ce1d971e9764d7c72516c1a4ed0a78d95832824cb4d4fef933662fd3f445ff3af88f774fe852f0ba250fb9e8ddc89d7d88a5af357b561b1ab8e8a3f0837a41dc3d5012ff006d9a63f0c554f8f95a64f8281b5da6d11b8a0a8c348e08c27c12ee7ce752ec19ceaa38685d0b16d0fb2b4492912b6dba18c3b172b3651a4ff2a16351b105bfef358705f2b1885d9cb4df9b69b88aaff6a4de2cefbc04cc0b1b869b5fa46e06471c1e3ee3b7e02e25110c8254b7bfc917275368306bcf9dae80e312dde1fdf45cd73642de74674148805c286d3c55ac6a604fe04127c394f2080f93e97aeff6efa39415ad2ecaf902f750f60f051e4fc5c0fd9e84d3dfbe17784469c43bbf7ca8123b26bf28912360e7b31e7e411903d4c495b5136e457207713fcc85a277554e7b65265b6e1a6220452883ee9464bdd5127daadf361f7823f9b2c9cbd3eb7a5eacce9e79269c82b9890292e0806b1190518519f18d5766edac44817270510d5994236500b2dac852fafecec90f8f88729730391c4a0afe19d549a7f2df4512cbae42b1b68fc1d66f0a93cd9a2d218b34d4825b7142f09cb54b9e0729a21282d860d54c07686303eab103e88fc63d5c68915191ed9ccaaff3977f07adafe266f23a0c5010390bc1a13a43a72c0714dfb447ebc6360c0c12affe4fc68922b8c3e463f944e6b559d611ee341ac60edf7b77022b352e2e037f239c252bb2fa3f632073b28a52338ffb033b00b5d99b13934e19998eee802dd182dfe486c62c184a11ea7ab6405125fb92879e34b2ae06207251ae60a98090f167cafa9e4c2adddf2ea2b141046358c9caa76d2f227a0f5cc2ad1268ce0b93f4a9fdabc0b087aef2766828aa20b32244715675acb404cd15e2488d66cb3096cf1e5225e75e405f67db73515538c622d8b6b742c25d9214c078e6b90baa6a705550b0e6c12dbd2c31e8cf487310c63bf9f72a33c6227748e39e527b61709571258ffd9f80dfd2a2572b12d9c9eef8a39b9b2edc1198d91dac8fc5fb8f0385434bc4529da56831c6f4053b5dee77be6998d78f89a97f03d2bf68c290e8f0eb7154f1987983cf3415168795311efd1e5c2890301e79d362c3569a73dbf2e611c13e7bf65deea7c79f607a746c77f355c17651def841c31bd872aa61cabbee13e62803a21b77bf9294f5d416674b9f7489a3e8b8c109936a6aa3902c414624d42160420f11216ad1f6b76efdc3c1815f2ef4dc5d0c2a01c98b73c71c2d3c18663529c5b1230b5f2b6a0b81476ed8c4e592b71436e6147bc30e248a592e208b584e56c279711e96391c636d4785322246ed39de5353c75198debc837dd939f0783d29964babb64673849277c1c78c144b5dd4107ebc68805f5b24ee5b4be603f9e6cd70d4d6dee0ddfbd94ac287a20ed56bb256582037c289bcfbc88786cf21684b2ed46596a35b9196ab204e0e984163ff5c060580f959fc807db7e9272eabc7be5fb01f37cc19c5d9b580a6d3fc2bf1e37278cf9d79e5cca753b8563a9283ff786174a19571747befbcd693b6a16137ea080637bce1868f1e1bf7ff4b857992f3bd300de47403d2dd9b1752a69389b4df24ab42c4eacc7e7534c1087cb241bf20a1d4b0e3d2461a03ad6e41d27d8d3e61d7a153f5d5a9555bec5d2fb8186965d6fa821ec5224f59922cd74baa2283e42208fe2fa89398a585df107fa0434dc63b87277a14044ef08b5524ac1809fd22ccbe701be86fcb038976eb052892bcbb1a6c2646561ab8efc736a84fa074bc36c2ad74c3a72470f59e64cff3ce220c8f2abc633d295df4fecba5bb010aa7956d524249183bb92a9485350d9baf8f2dc2897f49a58650cc0c53ab8091b316175f63597e9c20c0952762597b7c25e7817f4da7c5166505abacb0ac9f0644a240fd984fe0fe4b1485472b588f777ca79ce28ceba07fcb8c159ba5a5a1290e4893c5cb83ed4e77b7d6d729681ef3459ca55af35b1af9216cb26beeffa93d70700803358270cd02a6fe2e9cbe0f38fdb08173666579cccba5784e5b2ff2c47b479ce309bfb34318688cb9fd22491881df06a55464080f5103758f6cf4cce43131a26ccb17e433a425ddda74526151e82070324c827fa317479b250f1abe49edfd785f623ea31c6ad1ddb704519fc6603bdd0a8d9516e5e24d6d8d690bbc4525f078f9b9090fb7047ae6c3bb4f13944b0b2fd286f88de4de722cbf370cf6c517b3da8b96a9ee061e16b027314206cc87b70ffe1cd43e556b11ae9100ad2bf31e34bced21a40ff54e379f5898893425d5661a9c1c7cb587a1a6a61be24b968e1fce1b8c3e92e121791578a6096d8ed857ba0052158b93250a917db08caa1ee2ff619e88cd6c1ab873172969bf9755e3c0046f7064aa24164e7722eddb7341b5da6ee87b7b6c9d36ae4224866a432f4e59e4ea809039bd97b71c3b5a451474ffbc0b83e5da0fb6dcfa2d81eab43e0d499682f0d31e9fd8d805ea4fe177d29433cf756ed209fdd66578c09ce7116c4a765247534f49e44d683eba2b6fe3eb9d39f8f42fff138bb4cf797ae2e35c797b6c9863b6b480e08323cb436b7218effb2b9e382dec91070476449975b62612022f67d46ee4f7ccf04420c6f6875dd981a73143fdd29b8197d579ec074d05c090fa252ac3e7a984d1294333365afe538a4ecd7ad37cde5594e130cc3b3b40efe7360d4d8094fb883877724521cc5189ff31fe6f0973ab9417c3f5afc8e00a082644ca70e0dc3092727fbe2eb3ea064ead9a9610f207c055987f2ac3ce4e365aeabe6d774175671bec58b2c3ddca2c0b7c2d86fdbab6048d88355f9df354c25407ca8c51568730e508e849bc8960ea6d6b8db99e8626659f5ceb7f0408dc9f770b91f450f8c53773baa20ae11ef8070430b5bdff2a6d0f0d3755d0cb6428923cf41f090fa984631b9b15d2ff0a4fe8295dbc9e3ad071cc65142749a91ddfc48a31d35c0e7a7a7f00aa2bbddfce84d0d45bf01ce023d1139ad95b15fe8e0ad8ed9ff1e30e4e7b67b2677a12d7697048b215c6eaae247ce0b94bd5a42a06e19a11f7d559fd5d5a656c3a63636d7b723847b50ef9d7c9273ee99e468e326c531e584686f90e6d1647d9e982d59430c98d360b4479876e02704087c0b74d775c634a6472f0a0ad0e7485ed3a15d0efa099dce8fa8c78f38008484d557e2b69d727bae3c3d7975fd031a7a282c6dd4e700ed136f73c1aea13e35b9d7bff631638f830512b82291efad089b5ab5291e1e44fd13ce5f0eccc6431d4aa68e42f77793b36529aaaa87fcaa6bca4ee720c25a93d073ca02a9ce5738419f8853364d9ce8de572f43f9f1dff11a53d2a11898a85b268be0158bae08478556622fc5ab6dff11b5abe37602f7dc561031815415e71e6762798f6130d52072c81e0f505cac5e9c41eae3aa152a56d63dd17291f9c1fd1853d861d87d9ee6179d27f0cd92391844a671cd368ccc0e42f2dbf1d84b9ca2c900f87dae6d0f8a7efbf637eece1369a2e20306f4d6f07975179db03ed9875bffd9931fdd41d8b5409771e06510c30908112e6380d0dff0840bfcf9a9ff7bb6126ece222e10afb74596b98328fbd5888251601781cf72ab665db4b9ab35d2c8795cae74c7430ef507908d06f10e0184f3a9f9a5d425223801e2d6d2cc1f99384a753e998655e74482ef2048c6560e80d44d1b901711426588d023241ccc5b43be9632c82c5c5738e7e80bc3e2a661a0cbdfab252418017f832f771141b42cde421c108ad61dd3e7afcb6d3d37969e0aeea9530989f97607d924254e00f55b2ef4780bce91b232f1a819b26b046ff609a0368899487f258ef0ba5805edb5df475e03a73fcf749e05bbd8a43ad9b8f92b7cc91e296296248bb1f69c24ad", 0x1000, 0xfffffffffffffffe) keyctl$unlink(0x9, r2, r3) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_GET_CPUID2(r4, 0xc008ae91, &(0x7f00000011c0)={0x1, 0x0, [{}]}) ioctl$KVM_SET_MSRS(r4, 0xc008ae88, &(0x7f0000000140)=ANY=[@ANYRESDEC=0x0, @ANYRES64=r1, @ANYRESDEC=r0, @ANYRES32=r4]) 00:57:49 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x0, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 319.877796] binder: 12258:12260 BC_INCREFS_DONE u0000000000000000 node 231 cookie mismatch 0000000000000001 != 0000000000000000 [ 319.889818] binder: 12258:12260 got transaction to context manager from process owning it [ 319.898369] binder_transaction: 4 callbacks suppressed [ 319.898424] binder: 12258:12260 transaction failed 29201/-22, size 0-0 line 2887 [ 319.968418] binder: release 12258:12260 transaction 232 out, still active [ 319.975774] binder: unexpected work type, 4, not freed [ 319.981079] binder: undelivered TRANSACTION_COMPLETE 00:57:50 executing program 1: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$packet(0x11, 0x3, 0x300) r2 = syz_open_dev$midi(&(0x7f00000016c0)='/dev/midi#\x00', 0x1, 0x260002) ioctl$sock_inet_tcp_SIOCINQ(r2, 0x541b, &(0x7f0000001700)) r3 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) ioctl$sock_inet_SIOCSIFBRDADDR(r3, 0x891a, &(0x7f0000000080)={'bcsh0\x00', {0x2, 0x4e24, @broadcast}}) setsockopt$SO_ATTACH_FILTER(r1, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000000)=[{0x28, 0x0, 0x0, 0xfffff01c}, {0x80000006}]}, 0x10) 00:57:50 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x0, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 320.101636] binder_release_work: 4 callbacks suppressed [ 320.101651] binder: undelivered TRANSACTION_ERROR: 29201 [ 320.113609] binder: send failed reply for transaction 232, target dead 00:57:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x0, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 320.324986] binder: BINDER_SET_CONTEXT_MGR already set [ 320.330536] binder: 12278:12280 ioctl 40046207 0 returned -16 [ 320.340127] binder: 12277:12279 BC_INCREFS_DONE u0000000000000000 node 237 cookie mismatch 0000000000000001 != 0000000000000000 [ 320.352132] binder: 12277:12279 got transaction to context manager from process owning it [ 320.360506] binder: 12277:12279 transaction failed 29201/-22, size 0-0 line 2887 [ 320.365206] binder: 12278:12280 BC_INCREFS_DONE u0000000000000000 no match 00:57:50 executing program 1: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.cpu\x00', 0x200002, 0x0) r1 = openat$cgroup_int(r0, &(0x7f0000000080)='hugetlb.2MB.limit_in_bytes\x00', 0x2, 0x0) write$binfmt_elf64(r0, &(0x7f0000000280)={{0x7f, 0x45, 0x4c, 0x46, 0x2, 0xc156, 0xe8, 0x9, 0x400, 0x3, 0x0, 0x1, 0x21b, 0x40, 0x15, 0x7, 0x80000, 0x38, 0x2, 0x6, 0x1b80, 0x2}, [{0x7, 0x5, 0x1, 0x7fffffff, 0xa2a0, 0x3ff, 0x100000001, 0x7fff}], "1d028c110468e0b9be353651891052727097c8e1a0ba046ed2c7bb568061e6f0ec0c615a15fdcb9c8b3d22314d2804953b7cb05b429ba5880d3149d56731f29fcfb65daba60956c30096f74261a157938f28f1aa535f99d59e2eb938d3a2776a70a105808dc4", [[]]}, 0x1de) write$cgroup_subtree(r1, &(0x7f0000000240)=ANY=[@ANYBLOB='-1'], 0x2) [ 320.381252] binder: release 12278:12280 transaction 243 out, still active [ 320.389113] binder: unexpected work type, 4, not freed [ 320.394527] binder: undelivered TRANSACTION_COMPLETE 00:57:50 executing program 2: r0 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r0, 0x11b, 0x8, 0x0, 0x0) r1 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/qat_adf_ctl\x00', 0x210000, 0x0) setsockopt$RDS_GET_MR(r1, 0x114, 0x2, &(0x7f0000000100)={{&(0x7f0000000040)=""/104, 0x68}, &(0x7f00000000c0), 0xa}, 0x20) [ 320.500747] binder: release 12277:12279 transaction 238 out, still active [ 320.508561] binder: unexpected work type, 4, not freed [ 320.513921] binder: undelivered TRANSACTION_COMPLETE [ 320.534670] binder: release 12278:12280 transaction 247 out, still active [ 320.541799] binder: undelivered TRANSACTION_COMPLETE 00:57:50 executing program 1: syz_emit_ethernet(0x66, &(0x7f0000000100)={@link_local, @link_local, [], {@ipv6={0x86dd, {0x0, 0x6, "b40900", 0x30, 0xffffff3a, 0xf0ffff, @ipv4={[0x3580], [], @multicast2}, @mcast2, {[], @icmpv6=@time_exceed={0xffffff89, 0x0, 0x0, 0x0, [0x9, 0x4], {0x0, 0x6, "b680fa", 0x0, 0x0, 0x0, @ipv4={[], [], @broadcast}, @ipv4={[], [], @remote={0xac, 0x14, 0xffffffffffffffff}}}}}}}}}, 0x0) r0 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/qat_adf_ctl\x00', 0x400, 0x0) ioctl$SCSI_IOCTL_STOP_UNIT(r0, 0x6) 00:57:50 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 320.694616] binder: undelivered TRANSACTION_ERROR: 29201 [ 320.700309] binder: send failed reply for transaction 238, target dead [ 320.707123] binder: send failed reply for transaction 243, target dead [ 320.714112] binder: send failed reply for transaction 247, target dead [ 320.775365] QAT: Invalid ioctl [ 320.789315] QAT: Invalid ioctl 00:57:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x0, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:50 executing program 3: r0 = socket$rxrpc(0x21, 0x2, 0xa) setsockopt$RXRPC_MIN_SECURITY_LEVEL(r0, 0x110, 0x4, &(0x7f0000000100)=0xfffffffffffffffe, 0x1) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x20000, 0x0) ioctl$KVM_SET_TSC_KHZ(r1, 0xaea2, 0x9) getsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f0000000080), &(0x7f00000000c0)=0x14) [ 320.835592] binder: 12296:12297 BC_INCREFS_DONE u0000000000000000 node 248 cookie mismatch 0000000000000001 != 0000000000000000 [ 320.847509] binder: 12296:12297 got transaction to context manager from process owning it [ 320.856010] binder: 12296:12297 transaction failed 29201/-22, size 0-0 line 2887 [ 320.905204] binder: release 12296:12297 transaction 249 out, still active [ 320.912660] binder: unexpected work type, 4, not freed [ 320.917988] binder: undelivered TRANSACTION_COMPLETE 00:57:51 executing program 1: r0 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/fuse\x00', 0x2, 0x0) read$FUSE(r0, 0x0, 0x0) r1 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000180)='/dev/qat_adf_ctl\x00', 0x800, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffff9c, &(0x7f0000000200)={0x0, 0x18, 0xfa00, {0x2, &(0x7f00000001c0)={0xffffffffffffffff}, 0x106, 0x100b}}, 0x20) write$RDMA_USER_CM_CMD_LISTEN(r1, &(0x7f0000000240)={0x7, 0x8, 0xfa00, {r2, 0xc87}}, 0x10) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000000)={0x0}, &(0x7f0000000040)=0xc) ptrace$pokeuser(0x6, r3, 0x7, 0x4) r4 = openat$full(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full\x00', 0x44042, 0x0) ioctl$DRM_IOCTL_AGP_ALLOC(0xffffffffffffff9c, 0xc0206434, &(0x7f0000000100)={0x47, 0x0, 0x10001, 0x8}) ioctl$DRM_IOCTL_SG_FREE(r4, 0x40106439, &(0x7f0000000140)={0x1, r5}) 00:57:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 321.051813] binder: undelivered TRANSACTION_ERROR: 29201 [ 321.057556] binder: send failed reply for transaction 249, target dead [ 321.069602] Unknown ioctl 44706 [ 321.095172] binder: 12301:12304 BC_INCREFS_DONE u0000000000000000 node 254 cookie mismatch 0000000000000001 != 0000000000000000 [ 321.095718] Unknown ioctl 44706 [ 321.107023] binder: 12301:12304 got transaction to context manager from process owning it [ 321.107066] binder: 12301:12304 transaction failed 29201/-22, size 0-0 line 2887 [ 321.171163] binder: release 12301:12304 transaction 255 out, still active [ 321.177719] binder: BINDER_SET_CONTEXT_MGR already set [ 321.178346] binder: unexpected work type, 4, not freed [ 321.183799] binder: 12310:12312 ioctl 40046207 0 returned -16 [ 321.188864] binder: undelivered TRANSACTION_COMPLETE [ 321.232631] binder: 12310:12312 BC_INCREFS_DONE u0000000000000000 no match 00:57:51 executing program 3: mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x1, 0x32, 0xffffffffffffffff, 0x0) r0 = userfaultfd(0x0) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0xc}) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000180)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1}) r1 = openat$vnet(0xffffffffffffff9c, &(0x7f0000000140)='/dev/vhost-net\x00', 0x2, 0x0) r2 = dup(r1) socket$nl_generic(0x10, 0x3, 0x10) ioctl$VHOST_SET_OWNER(r2, 0xaf01, 0x0) ioctl$KVM_IRQ_LINE_STATUS(r2, 0xc008ae67, &(0x7f0000000000)={0x3, 0x7fff}) ioctl$ifreq_SIOCGIFINDEX_team(r2, 0x8933, &(0x7f00000127c0)={'team0\x00'}) ioctl$TIOCSTI(r2, 0x5412, 0x0) ioctl$VHOST_NET_SET_BACKEND(r1, 0x4008af30, &(0x7f0000000080)) close(r0) [ 321.274098] binder: release 12310:12313 transaction 260 out, still active [ 321.281117] binder: unexpected work type, 4, not freed [ 321.286617] binder: undelivered TRANSACTION_COMPLETE 00:57:51 executing program 1: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) listen(r0, 0x3ea) timer_create(0x7, &(0x7f0000000140)={0x0, 0x3e, 0x0, @tid=0xffffffffffffffff}, &(0x7f00000001c0)=0x0) timer_settime(r1, 0x0, &(0x7f0000000200)={{0x77359400}, {0x77359400}}, &(0x7f0000000240)) r2 = socket$inet6_udp(0xa, 0x2, 0x0) connect$inet6(r2, &(0x7f0000000000)={0xa, 0x0, 0x0, @loopback}, 0x1c) r3 = socket$l2tp(0x18, 0x1, 0x1) connect$l2tp(r3, &(0x7f00005fafd2)=@pppol2tpv3={0x18, 0x1, {0x0, r2, {0x2, 0x0, @multicast2}, 0x4}}, 0x2e) setsockopt$inet6_udp_int(r2, 0x11, 0x65, &(0x7f0000000480)=0x1ff, 0x4) write(r3, &(0x7f00000002c0), 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) write(r2, &(0x7f0000000180), 0x0) r5 = openat$vfio(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/vfio/vfio\x00', 0x642, 0x0) connect$vsock_stream(r5, &(0x7f0000000300)={0x28, 0x0, 0x0, @host}, 0x10) sendmsg$inet_sctp(0xffffffffffffffff, &(0x7f00000000c0)={&(0x7f0000000040)=@in={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10, &(0x7f0000000040), 0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="2000000000000000840000000100000000000000018200000000000000000000"], 0x20}, 0x0) sendmmsg$inet_sctp(r0, &(0x7f0000000080)=[{&(0x7f0000000180)=@in={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10, &(0x7f0000562000), 0x0, &(0x7f00000c3000)=ANY=[@ANYBLOB="fcff2e57bf6b02000000000000000000000000000000000000000000", @ANYRES32=0x0], 0x20}], 0x4924924924924d0, 0x0) prctl$PR_SET_UNALIGN(0x6, 0x1) getsockopt$inet_sctp6_SCTP_RECVNXTINFO(r0, 0x84, 0x21, &(0x7f0000000000), &(0x7f0000000100)=0x4) 00:57:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x0, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 321.335082] binder: undelivered TRANSACTION_ERROR: 29201 [ 321.340644] binder: send failed reply for transaction 255, target dead [ 321.347541] binder: send failed reply for transaction 260, target dead [ 321.354351] binder: send failed reply for transaction 264 to 12310:12312 00:57:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 321.487426] binder: undelivered TRANSACTION_COMPLETE [ 321.492746] binder: undelivered TRANSACTION_ERROR: 29189 [ 321.536264] binder: 12323:12325 BC_INCREFS_DONE u0000000000000000 node 265 cookie mismatch 0000000000000001 != 0000000000000000 [ 321.548341] binder: 12323:12325 got transaction to context manager from process owning it [ 321.556829] binder: 12323:12325 transaction failed 29201/-22, size 0-0 line 2887 [ 321.606396] binder: release 12323:12325 transaction 266 out, still active [ 321.613544] binder: unexpected work type, 4, not freed [ 321.618251] binder: BINDER_SET_CONTEXT_MGR already set [ 321.618913] binder: undelivered TRANSACTION_COMPLETE [ 321.630218] binder: 12330:12333 ioctl 40046207 0 returned -16 [ 321.679811] binder: 12330:12338 BC_INCREFS_DONE u0000000000000000 no match [ 321.696248] binder: release 12330:12338 transaction 271 out, still active [ 321.704216] binder: unexpected work type, 4, not freed [ 321.709556] binder: undelivered TRANSACTION_COMPLETE [ 321.715325] binder: undelivered TRANSACTION_ERROR: 29201 [ 321.720858] binder: send failed reply for transaction 266, target dead 00:57:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 321.727628] binder: send failed reply for transaction 271, target dead [ 321.734396] binder: send failed reply for transaction 275 to 12330:12338 00:57:51 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 321.809625] binder: 12340:12341 BC_INCREFS_DONE u0000000000000000 node 276 cookie mismatch 0000000000000001 != 0000000000000000 [ 321.821579] binder: 12340:12341 got transaction to context manager from process owning it [ 321.830097] binder: 12340:12341 transaction failed 29201/-22, size 0-0 line 2887 00:57:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 321.885787] binder: undelivered TRANSACTION_COMPLETE [ 321.891027] binder: undelivered TRANSACTION_ERROR: 29189 00:57:52 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 321.985238] binder: BINDER_SET_CONTEXT_MGR already set [ 321.990636] binder: 12345:12346 ioctl 40046207 0 returned -16 [ 322.005092] binder: release 12340:12341 transaction 277 out, still active [ 322.012305] binder: unexpected work type, 4, not freed [ 322.017626] binder: undelivered TRANSACTION_COMPLETE [ 322.038976] binder: BINDER_SET_CONTEXT_MGR already set [ 322.044588] binder: 12347:12348 ioctl 40046207 0 returned -16 [ 322.076583] binder: 12347:12348 BC_INCREFS_DONE u0000000000000000 no match [ 322.076743] binder: 12345:12346 BC_INCREFS_DONE u0000000000000000 no match [ 322.094696] binder: release 12347:12348 transaction 282 out, still active [ 322.101775] binder: unexpected work type, 4, not freed [ 322.118750] binder: BINDER_SET_CONTEXT_MGR already set [ 322.124343] binder: 12350:12351 ioctl 40046207 0 returned -16 00:57:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 322.135512] binder: release 12345:12352 transaction 285 out, still active [ 322.142720] binder: unexpected work type, 4, not freed [ 322.156215] binder: 12350:12351 BC_INCREFS_DONE u0000000000000000 no match [ 322.170453] binder: undelivered TRANSACTION_ERROR: 29201 [ 322.176203] binder: send failed reply for transaction 277, target dead [ 322.182993] binder: send failed reply for transaction 282, target dead 00:57:52 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 322.189706] binder: send failed reply for transaction 289 to 12347:12348 [ 322.196637] binder: send failed reply for transaction 291 to 12345:12346 [ 322.203607] binder: send failed reply for transaction 292 to 12350:12351 [ 322.210479] binder: send failed reply for transaction 296 to 12350:12351 [ 322.217580] binder: undelivered TRANSACTION_ERROR: 29189 00:57:52 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 322.348347] binder: 12355:12357 BC_INCREFS_DONE u0000000000000000 node 297 cookie mismatch 0000000000000001 != 0000000000000000 [ 322.360973] binder: 12355:12357 got transaction to context manager from process owning it [ 322.361179] binder: BINDER_SET_CONTEXT_MGR already set [ 322.369502] binder: 12355:12357 transaction failed 29201/-22, size 0-0 line 2887 [ 322.382538] binder: 12356:12358 ioctl 40046207 0 returned -16 00:57:52 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 322.406230] binder: undelivered TRANSACTION_ERROR: 29189 [ 322.447856] binder: BINDER_SET_CONTEXT_MGR already set [ 322.453370] binder: 12360:12361 ioctl 40046207 0 returned -16 [ 322.460008] binder: 12356:12363 BC_INCREFS_DONE u0000000000000000 no match [ 322.482459] binder: unexpected work type, 4, not freed [ 322.493719] binder: 12360:12361 BC_INCREFS_DONE u0000000000000000 no match [ 322.514222] binder: unexpected work type, 4, not freed [ 322.515366] binder: BINDER_SET_CONTEXT_MGR already set [ 322.525116] binder: 12364:12365 ioctl 40046207 0 returned -16 [ 322.528919] binder: unexpected work type, 4, not freed [ 322.552970] binder: 12364:12365 BC_INCREFS_DONE u0000000000000000 no match [ 322.583143] binder: unexpected work type, 4, not freed 00:57:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:52 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:52 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 322.639104] binder: send failed reply for transaction 307 to 12356:12363 [ 322.646210] binder: send failed reply for transaction 312 to 12360:12361 [ 322.653270] binder: send failed reply for transaction 317 to 12364:12365 00:57:52 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 322.831304] binder: BINDER_SET_CONTEXT_MGR already set [ 322.836882] binder: 12372:12373 ioctl 40046207 0 returned -16 [ 322.841863] binder: 12369:12374 BC_INCREFS_DONE u0000000000000000 node 318 cookie mismatch 0000000000000001 != 0000000000000000 [ 322.854794] binder: 12369:12374 got transaction to context manager from process owning it [ 322.863279] binder: 12369:12374 transaction failed 29201/-22, size 0-0 line 2887 [ 322.871733] binder: BINDER_SET_CONTEXT_MGR already set [ 322.877305] binder: 12368:12375 ioctl 40046207 0 returned -16 [ 322.885250] binder: 12372:12373 BC_INCREFS_DONE u0000000000000000 no match [ 322.902962] binder: BINDER_SET_CONTEXT_MGR already set [ 322.908279] binder: 12376:12377 ioctl 40046207 0 returned -16 [ 322.919344] binder: unexpected work type, 4, not freed [ 322.924800] binder: unexpected work type, 4, not freed [ 322.943542] binder: unexpected work type, 4, not freed [ 322.964231] binder: unexpected work type, 4, not freed 00:57:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) 00:57:53 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) 00:57:53 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 323.054770] binder: send failed reply for transaction 338 to 12376:12377 00:57:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 323.164615] binder: BINDER_SET_CONTEXT_MGR already set [ 323.170129] binder: 12383:12387 ioctl 40046207 0 returned -16 [ 323.195249] binder: BINDER_SET_CONTEXT_MGR already set [ 323.200623] binder: 12382:12388 ioctl 40046207 0 returned -16 [ 323.208856] binder: unexpected work type, 4, not freed [ 323.222402] binder: unexpected work type, 4, not freed [ 323.227752] binder: unexpected work type, 4, not freed 00:57:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) 00:57:53 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:53 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) [ 323.333310] binder: 12391:12392 BC_INCREFS_DONE u0000000000000000 node 351 cookie mismatch 0000000000000001 != 0000000000000000 [ 323.345322] binder: 12391:12392 got transaction to context manager from process owning it [ 323.353847] binder: 12391:12392 transaction failed 29201/-22, size 0-0 line 2887 [ 323.401635] binder: unexpected work type, 4, not freed [ 323.448885] binder: BINDER_SET_CONTEXT_MGR already set [ 323.454406] binder: 12395:12397 ioctl 40046207 0 returned -16 00:57:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 323.494690] binder: BINDER_SET_CONTEXT_MGR already set [ 323.500112] binder: 12398:12400 ioctl 40046207 0 returned -16 [ 323.509765] binder: unexpected work type, 4, not freed [ 323.515367] binder: BINDER_SET_CONTEXT_MGR already set [ 323.520698] binder: 12399:12401 ioctl 40046207 0 returned -16 [ 323.535607] binder: unexpected work type, 4, not freed 00:57:53 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, 0x0) 00:57:53 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 323.681213] binder: 12405:12406 BC_INCREFS_DONE u0000000000000000 node 368 cookie mismatch 0000000000000001 != 0000000000000000 [ 323.693143] binder: 12405:12406 got transaction to context manager from process owning it [ 323.701518] binder: 12405:12406 transaction failed 29201/-22, size 0-0 line 2887 [ 323.803894] binder: BINDER_SET_CONTEXT_MGR already set [ 323.809339] binder: 12410:12413 ioctl 40046207 0 returned -16 [ 323.830071] binder: BINDER_SET_CONTEXT_MGR already set [ 323.835724] binder: 12412:12414 ioctl 40046207 0 returned -16 [ 323.842188] binder: unexpected work type, 4, not freed [ 323.859222] binder: unexpected work type, 4, not freed [ 323.873340] binder: BINDER_SET_CONTEXT_MGR already set [ 323.878798] binder: 12409:12415 ioctl 40046207 0 returned -16 [ 323.901174] binder: unexpected work type, 4, not freed [ 323.914285] binder: unexpected work type, 4, not freed 00:57:54 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:54 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:54 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:54 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 324.134933] binder: unexpected work type, 4, not freed [ 324.167161] binder: BINDER_SET_CONTEXT_MGR already set [ 324.172739] binder: 12425:12426 ioctl 40046207 0 returned -16 [ 324.224593] binder: unexpected work type, 4, not freed 00:57:54 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:54 executing program 2: mbind(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x8004, 0x0, 0x0, 0x0) r0 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/btrfs-control\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_PAUSE(r0, 0x54a3) ioctl$SIOCGIFHWADDR(r0, 0x8927, &(0x7f0000000040)) [ 324.275242] binder: BINDER_SET_CONTEXT_MGR already set [ 324.280692] binder: 12429:12430 ioctl 40046207 0 returned -16 00:57:54 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:54 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:54 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:54 executing program 2: unshare(0x20600) r0 = syz_open_dev$sg(&(0x7f0000000040)='/dev/sg#\x00', 0x0, 0x0) ioctl$SG_SET_FORCE_PACK_ID(r0, 0x227b, &(0x7f0000000140)) r1 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x400000, 0x0) ioctl$TCSETSW(r1, 0x5403, &(0x7f0000000080)={0x400, 0x7ac, 0x6, 0x1000, 0x4, 0x3, 0xee, 0x81, 0x3f, 0x1, 0x4, 0x3}) [ 324.562875] binder: unexpected work type, 4, not freed [ 324.644268] binder: unexpected work type, 4, not freed 00:57:54 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000005c0)={0x60, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:57:54 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:54 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 324.853482] binder: unexpected work type, 4, not freed 00:57:54 executing program 2: r0 = syz_open_dev$sndtimer(&(0x7f0000014000)='/dev/snd/timer\x00', 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = add_key(&(0x7f0000000140)='dns_resolver\x00', &(0x7f0000000180)={'syz', 0x0}, &(0x7f00000001c0)="4c15b1e1da9e378bec3d8dcf7edb6c8e5194a602197bfce001e169f9574d6bedc4bb97fbd8f520b0", 0x28, 0xfffffffffffffff9) keyctl$restrict_keyring(0x1d, r2, &(0x7f0000000200)='cifs.spnego\x00', &(0x7f0000000240)='/dev/snd/timer\x00') ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000000040)={{0x0, 0x3}}) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x80605414, 0x0) socketpair(0x5, 0x4, 0x5, &(0x7f0000000000)={0xffffffffffffffff}) getsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000080)={0x0, 0x2}, &(0x7f00000000c0)=0x8) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r3, 0x84, 0xa, &(0x7f0000000100)={0x35, 0x0, 0x2, 0x2800000000000000, 0x1000, 0x3, 0x5, 0x8, r4}, 0x20) [ 324.883565] binder: unexpected work type, 4, not freed [ 324.975010] binder: BINDER_SET_CONTEXT_MGR already set [ 324.980397] binder: 12458:12460 ioctl 40046207 0 returned -16 00:57:55 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 00:57:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 325.163828] binder_transaction: 5 callbacks suppressed [ 325.163863] binder: 12467:12468 transaction failed 29189/-22, size 24-8 line 2896 00:57:55 executing program 2: pipe(&(0x7f0000000400)) socket$xdp(0x2c, 0x3, 0x0) socket$inet_smc(0x2b, 0x1, 0x0) listen(0xffffffffffffffff, 0x0) pselect6(0x40, &(0x7f00000000c0)={0x64}, 0x0, 0x0, &(0x7f0000000200), 0x0) prctl$PR_MPX_ENABLE_MANAGEMENT(0x2b) 00:57:55 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 325.207740] binder: 12469:12470 ioctl c0306201 0 returned -14 [ 325.220463] binder_release_work: 20 callbacks suppressed [ 325.220476] binder: undelivered TRANSACTION_ERROR: 29189 [ 325.259363] binder: unexpected work type, 4, not freed 00:57:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:55 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 00:57:55 executing program 4: r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x3, 0x0) ioctl$IOC_PR_PREEMPT_ABORT(r0, 0x401870cc, &(0x7f0000000040)={0x6, 0x1b, 0xfffffffffffffff9, 0x6}) fsetxattr$security_selinux(r0, &(0x7f0000000080)='security.selinux\x00', &(0x7f00000000c0)='system_u:object_r:modules_object_t:s0\x00', 0x26, 0x0) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(r0, 0x800c6613, &(0x7f0000000100)={0x0, @aes256, 0x1, "20048b58517a4dfb"}) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000140)={0x0, 0x4, 0x30}, &(0x7f0000000180)=0xc) getsockopt$inet_sctp_SCTP_PEER_AUTH_CHUNKS(r0, 0x84, 0x1a, &(0x7f00000001c0)={r1, 0x5d, "31711bc4493679aa2e5eac9332d86df7e694dd653b3f3d40a0b5b1ca0c84b51804f1aa0fc82a920fcb17ddcc0768695471cced70fd40ba298e1c75b7e40843900bc27c380b31645b1c8c10308333b6168bcc5deec9e37f3cae44a616cb"}, &(0x7f0000000240)=0x65) write$binfmt_script(r0, &(0x7f0000000280)={'#! ', './file0', [{0x20, 'security.selinux\x00'}], 0xa, "e0665e7ee67b9d89f2ec69a74e3c34e84ced75858f815f74e9e26c5b55703a8705ee892dfa6934f1736494546d48e90d881518f8f9ca4b7e1788127d6fc5fcb851bf8a1a9331dde3513ed67c64f0802952172fda113ba356d7bbb4afd79df09e92b2217ef695b69d8c597704c55e7997ad9ac58dce18baa4ec0f29f474dcaa1c4e149ee1f9f5d514115ce053fecce85ad6e6e9a9681a430bf30933f4c7242fe7283f86a2db5841fd01f44056873858269954c12773c70ce30d50a872"}, 0xd9) r2 = socket$packet(0x11, 0x2, 0x300) r3 = syz_open_dev$dmmidi(&(0x7f0000000380)='/dev/dmmidi#\x00', 0x5, 0x40000) io_setup(0xfffffffffffffe00, &(0x7f00000003c0)=0x0) io_submit(r4, 0x6, &(0x7f0000000840)=[&(0x7f0000000500)={0x0, 0x0, 0x0, 0xe, 0x2, r0, &(0x7f0000000400)="bbf5537f44b8b5b519c037a731ec79fa90824aa240fd8cf00bbe072b152eae0d46e0f15efb9c9cc3a83515c07e35fd7325a797f4521c983025b5c7cec0a8e2e85075e2b45860003efee80a9642828643679760566f64bc4ee64fa5c470341e7c854fbdfaa2c76131a2904a457836de907c94a0a45e11db6f7c29b9cb66bafc107ff801e8091944337ce842b0811967168c742b54cb4c6f1f1c4c118ab8d065e7b8f3c329ff2372420de65bbc95fad115fd6b816da8b425e7c3b8d6fb39713ff82698387db8cb590b90e1b26f6641", 0xce, 0x6, 0x0, 0x1, r0}, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x2, 0x0, r0, &(0x7f0000000540)="07bc0bd4208dc3fe778fc200c75f01bdd9f155061c1d4047868966f79ccf7a21de8bb9e8b89d019362", 0x29, 0xffffffffffff9f38, 0x0, 0x1}, &(0x7f0000000600)={0x0, 0x0, 0x0, 0x3, 0x7f, r2, &(0x7f00000005c0)="ae4a45cfc78a0dc0e8f03f4e9aabb4572eeb280014", 0x15, 0x800, 0x0, 0x2, r3}, &(0x7f0000000680)={0x0, 0x0, 0x0, 0xd, 0x4, r3, &(0x7f0000000640)="3d9644", 0x3, 0x1000000000000, 0x0, 0x2, r3}, &(0x7f0000000780)={0x0, 0x0, 0x0, 0x0, 0x1e, r0, &(0x7f00000006c0)="1420d7f484166e822fe2734d35a6e07d961dc902749fa28d244d9598ee36a55f8ef97dcd1e39787ddebc300056944bbcd820867bfa67159a5c7fe3577cbf7f6c85d2d761dd8ad9bab7734e82f697ea58b634c5bbd87f1cd0c4c3cbd6b684cfc925505eb005f089fe1da3d9c8c3f036095bbbd8bc7a64aae820f8dc44d2530af0ceb87a36034580cd2865bf3999d06e613512f240df37", 0x96, 0x600, 0x0, 0x1, r0}, &(0x7f0000000800)={0x0, 0x0, 0x0, 0x3, 0x1, r0, &(0x7f00000007c0), 0x0, 0x9, 0x0, 0x2, r0}]) setsockopt$RXRPC_UPGRADEABLE_SERVICE(r3, 0x110, 0x5, &(0x7f0000000880)=[0x6b9, 0x1], 0x2) io_submit(r4, 0x3, &(0x7f0000000c00)=[&(0x7f00000009c0)={0x0, 0x0, 0x0, 0x7, 0x0, r0, &(0x7f00000008c0)="7de20d21394f77279128916e745f5b41cc109504202d57bc03bf44faf822db90e3b14b1eb176bf19a40d690c00f8fc890ae37e3ddb69cfc317f9536ef67320a61e62a3e6de91350eff16f78f07b9f86d5a53d4a6784bd23fcfe7e1d68cc1c3d0b781fedfd99adad09cdb474dab709b1033eaf303955982f6b64669f9b3b2fe40161bd5aa4bf29f558dedbae5e51890d41ec4088b29052a40f8725d9c7efd86f3becac97b82dec77753c4c2ea6e4a08a6d0c5a4195a1d8477298744046ae19023815f78bac32a4ef69e9ec370b52ff83677804e104909f98e", 0xd8, 0x9, 0x0, 0x2, r0}, &(0x7f0000000ac0)={0x0, 0x0, 0x0, 0x3, 0x1, r3, &(0x7f0000000a00)="d080d00287cf58bdf5553a54ac7fa66494069e8654d705931a71628aa3f611789e12d24680bf599c5f70db9d4ceb1e4318a475162bc827f262004ed3b82d85f8bb4642411d16ee9623ffc7a028f00140c701a5f2553f1c32543e0b098633dfd024ea7ac6f262982dedd8dda9ac333d8c6baa3454fd4f58bba4361eed28df5c70b8a4d2117be9dacfbe31a9212198622452ffc3d47fe176926f2f416cb02166231325d08855cf7f4197742c9a8387f7afd801a1d5fd36", 0xb6, 0x401, 0x0, 0x0, r0}, &(0x7f0000000bc0)={0x0, 0x0, 0x0, 0x3, 0x7be8, r0, &(0x7f0000000b00)="8569eb454faec41ee626b319026d58d527d57a4ad3580117c273c5f2945da5f5738aa2dfaa2e0649ba8dccc8ca745df5c8962ec0380b3220f6b6507530be7b889076f4cb0f1ac2c8e2a40610c4f50e3b433bbeb5fabb99994bcfae628d0423ca456ab65fd368cdc1730dc0e91feacb97a358db2683f7b51f2b79c8fc6078651129dbf210f5758d", 0x87, 0x0, 0x0, 0x3, r3}]) ioctl$PPPIOCGNPMODE(r0, 0xc008744c, &(0x7f0000000c40)={0x80ff}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000c80)={0x6, 0x2, {0x0, 0x1, 0x3f, 0x3, 0x7}}) r5 = socket$inet6(0xa, 0x80000, 0x100000000) write$cgroup_type(r0, &(0x7f0000000d00)='threaded\x00', 0x9) mbind(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x0, &(0x7f0000000d40)=0x1, 0x8, 0x4) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r3, 0x40605346, &(0x7f0000000d80)={0x80, 0x2, {0x3, 0x0, 0x3f, 0x3, 0x71}}) getsockopt$IP_VS_SO_GET_SERVICES(r5, 0x0, 0x482, &(0x7f0000000e00)=""/186, &(0x7f0000000ec0)=0xba) write$binfmt_script(r3, &(0x7f0000000f00)={'#! ', './file0', [{0x20, '/dev/dmmidi#\x00'}, {0x20, '9'}], 0xa, "5bd2da9229b7981f3d957a9ba00bac12d56c86d34511bf8142c9807a250772bbbc0cc643c593283a1d8b3a5a12ee338b457704e70f684c5ca0ddf18af434e0eb68a65732ad869ffb7c50cbb9355a67632f9f909cd921e1715a96a5b337a5386c5cc30e3c38206acafc92cb8e0320654a57355ecc107938bf86944176e8d5359a5ba09791d11163cb9dcf520c1205d620693d18613dc9348d5d"}, 0xb4) r6 = getuid() getresgid(&(0x7f0000000fc0), &(0x7f0000001000)=0x0, &(0x7f0000001040)) fchown(r0, r6, r7) write$FUSE_INTERRUPT(r3, &(0x7f0000001080)={0x10, 0x0, 0x6}, 0x10) getsockopt$inet6_IPV6_IPSEC_POLICY(r3, 0x29, 0x22, &(0x7f00000010c0)={{{@in6=@ipv4={[], [], @remote}, @in=@dev}}, {{@in6=@initdev}, 0x0, @in=@empty}}, &(0x7f00000011c0)=0xe8) getsockopt$SO_TIMESTAMPING(r3, 0x1, 0x25, &(0x7f0000001200), &(0x7f0000001240)=0x4) close(r2) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r3, 0x84, 0x7b, &(0x7f0000001280)={r1, 0x101}, 0x8) getsockopt$inet_sctp_SCTP_PR_SUPPORTED(r0, 0x84, 0x71, &(0x7f00000012c0)={r1, 0x4}, &(0x7f0000001300)=0x8) [ 325.433497] binder: undelivered TRANSACTION_ERROR: 29189 [ 325.450429] binder_alloc: 12479: binder_alloc_buf, no vma [ 325.456249] binder: 12479:12480 transaction failed 29189/-3, size 24-8 line 3035 00:57:55 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet6_MRT6_DEL_MFC_PROXY(0xffffffffffffffff, 0x29, 0xd3, &(0x7f0000001000)={{0xa, 0x0, 0x0, @dev}, {0xa, 0x0, 0x0, @dev}, 0x0, [0x0, 0x0, 0x0, 0x3, 0x0, 0x5]}, 0x5c) socket$inet(0x2, 0x800, 0x6) syz_emit_ethernet(0x1, &(0x7f0000001080)=ANY=[@ANYBLOB="aaaaaaaaaabbaaaaaaac607b87aaaa008137ffff0700e33e6e160000c2d51d26d57c000000de0000e007000000000000002e1cfcde68ca"], 0x0) setsockopt$inet_int(r0, 0x0, 0x40, &(0x7f0000000ffc), 0x4) [ 325.528334] binder: undelivered TRANSACTION_ERROR: 29189 [ 325.560469] binder: 12481:12483 ioctl c0306201 0 returned -14 00:57:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 325.616328] binder_thread_release: 27 callbacks suppressed [ 325.616349] binder: release 12481:12483 transaction 426 out, still active [ 325.629170] binder: unexpected work type, 4, not freed [ 325.634644] binder_release_work: 43 callbacks suppressed [ 325.634655] binder: undelivered TRANSACTION_COMPLETE 00:57:55 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:55 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 325.810120] binder_send_failed_reply: 28 callbacks suppressed [ 325.810137] binder: send failed reply for transaction 426, target dead [ 325.824149] binder_alloc: 12490: binder_alloc_buf, no vma [ 325.829871] binder: 12490:12494 transaction failed 29189/-3, size 24-8 line 3035 [ 325.874693] binder: undelivered TRANSACTION_ERROR: 29189 [ 325.901420] binder: 12495:12496 transaction failed 29189/-22, size 24-8 line 2896 [ 325.923273] binder: undelivered TRANSACTION_ERROR: 29189 00:57:56 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:56 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 326.006848] binder: 12499:12501 ioctl c0306201 0 returned -14 [ 326.034712] binder: release 12499:12501 transaction 433 out, still active [ 326.041696] binder: unexpected work type, 4, not freed [ 326.047085] binder: undelivered TRANSACTION_COMPLETE 00:57:56 executing program 2: recvmsg$kcm(0xffffffffffffffff, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f00000004c0)=""/4096, 0x1000}], 0x1}, 0x0) bpf$BPF_GET_BTF_INFO(0xf, &(0x7f00000000c0)={0xffffffffffffffff, 0x10, &(0x7f0000000080)={&(0x7f0000000040)=""/1, 0x1, 0xffffffffffffffff}}, 0x10) bpf$BPF_BTF_GET_FD_BY_ID(0x13, &(0x7f0000000100)=r0, 0x4) ioctl$SNDRV_RAWMIDI_IOCTL_DRAIN(0xffffffffffffffff, 0x810c5701, &(0x7f0000000000)) 00:57:56 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 326.213245] binder: release 12505:12506 transaction 436 out, still active [ 326.220257] binder: unexpected work type, 4, not freed [ 326.225802] binder: undelivered TRANSACTION_COMPLETE [ 326.243437] binder: BINDER_SET_CONTEXT_MGR already set [ 326.248779] binder: 12504:12507 ioctl 40046207 0 returned -16 [ 326.275065] binder: send failed reply for transaction 433, target dead [ 326.281776] binder: send failed reply for transaction 436, target dead [ 326.323762] binder: 12504:12511 transaction failed 29189/-22, size 24-8 line 2896 [ 326.352587] binder: undelivered TRANSACTION_ERROR: 29189 00:57:56 executing program 1: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 326.440117] binder: release 12513:12515 transaction 441 out, still active [ 326.447541] binder: unexpected work type, 4, not freed [ 326.452936] binder: undelivered TRANSACTION_COMPLETE 00:57:56 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:56 executing program 2: r0 = gettid() r1 = semget$private(0x0, 0x7, 0x0) semop(r1, &(0x7f0000000280)=[{0x4, 0x4}, {0x4}], 0x2) timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={0x0, 0x0}}, &(0x7f0000044000)=0x0) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, 0x0) tkill(r0, 0x1000000000016) timer_delete(r2) [ 326.640244] binder: send failed reply for transaction 441, target dead [ 326.732453] binder: 12521:12525 transaction failed 29189/-22, size 24-8 line 2896 [ 326.758547] binder: undelivered TRANSACTION_ERROR: 29189 [ 326.899722] IPVS: ftp: loaded support on port[0] = 21 [ 327.067169] chnl_net:caif_netlink_parms(): no params data found [ 327.144579] bridge0: port 1(bridge_slave_0) entered blocking state [ 327.151104] bridge0: port 1(bridge_slave_0) entered disabled state [ 327.159745] device bridge_slave_0 entered promiscuous mode [ 327.169514] bridge0: port 2(bridge_slave_1) entered blocking state [ 327.176139] bridge0: port 2(bridge_slave_1) entered disabled state [ 327.184647] device bridge_slave_1 entered promiscuous mode [ 327.222595] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 327.234386] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 327.266733] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 327.275515] team0: Port device team_slave_0 added [ 327.282142] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 327.291079] team0: Port device team_slave_1 added [ 327.297811] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 327.306387] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 327.377438] device hsr_slave_0 entered promiscuous mode [ 327.492976] device hsr_slave_1 entered promiscuous mode [ 327.533515] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 327.541032] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 327.579239] bridge0: port 2(bridge_slave_1) entered blocking state [ 327.585983] bridge0: port 2(bridge_slave_1) entered forwarding state [ 327.593178] bridge0: port 1(bridge_slave_0) entered blocking state [ 327.599695] bridge0: port 1(bridge_slave_0) entered forwarding state [ 327.711528] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 327.718340] 8021q: adding VLAN 0 to HW filter on device bond0 [ 327.737482] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 327.750308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 327.761394] bridge0: port 1(bridge_slave_0) entered disabled state [ 327.769838] bridge0: port 2(bridge_slave_1) entered disabled state [ 327.781503] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 327.801454] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 327.807622] 8021q: adding VLAN 0 to HW filter on device team0 [ 327.825178] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 327.833854] bridge0: port 1(bridge_slave_0) entered blocking state [ 327.840347] bridge0: port 1(bridge_slave_0) entered forwarding state [ 327.893352] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 327.901813] bridge0: port 2(bridge_slave_1) entered blocking state [ 327.908392] bridge0: port 2(bridge_slave_1) entered forwarding state [ 327.919552] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 327.935667] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 327.944741] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 327.961341] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 327.984871] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 327.996760] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 328.003015] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 328.015047] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 328.047354] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 328.074529] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 328.332960] protocol 88fb is buggy, dev hsr_slave_0 [ 328.338546] protocol 88fb is buggy, dev hsr_slave_1 [ 328.453101] protocol 88fb is buggy, dev hsr_slave_0 [ 328.458772] protocol 88fb is buggy, dev hsr_slave_1 00:57:58 executing program 4: r0 = syz_open_dev$dri(&(0x7f0000000080)='/dev/dri/card#\x00', 0x0, 0x80) r1 = syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0x10000000000, 0x1) ioctl$VIDIOC_SUBDEV_S_FRAME_INTERVAL(r1, 0xc0305616, &(0x7f00000000c0)={0x0, {0x1, 0x81}}) setsockopt$bt_BT_DEFER_SETUP(r1, 0x112, 0x7, &(0x7f0000000040), 0x4) sendmsg$key(r1, &(0x7f0000001280)={0x0, 0x0, &(0x7f0000001240)={&(0x7f0000000100)=ANY=[@ANYBLOB="020278072102000025bd7000fbdbdf251300180000318a00568e99b70e94eba4f92f39ff4a419513d2adde9c4bde46389025398e2257aa0e34630418df60462c16d69c15c2db091feb895e503c1fc735f57dc2ed5ac495f2f0c7c30c14c7c6f6d90f24d82219dd989bdf177d3c6d52004ff555d47cf16fdc71d0c46db483bec3b00ef687ab83112289bcc45177dfe380eac0fa5947c0bcae65a04ce1992dbdc1fa9300000000000001021800fc00001039b7cd41c41db2d9f2d746a8d7a511b51c5626e18634db41ebc37a85ec48af52eed9a6c8b512ff63253d08b20299b0bb61379d03e89b443bfebe0da468e3a9dd8cd4d093af12ad93dadf27d79a2f7341ee7896b7171245d350f8077b94b77d12859f0f68c0fb8cc71d81f80c02bf2b855e1fd8b86aff10bbf4218a2c829c980c0a44866f5e17510e4c913373dec2c61b6e2a80da25b429bb710001d46aeb724b02373fda2d2318d25478e7aea69cc7710a3915da058d236d799ca0f137c5513c4666ab980ca1a11b0dbedcff5041b2ef52740cd3276e9c762f4d91a8d20a41cc4b9e71d58f99863188c2b56dc4159cd2b1f3c82f3c9e7f7136a99db51f1757db1dd174947aa93afb21acd2d169a10d0f0b999f8361f384d234e612db174512deee3477cb26434672dcab112ee86a6bd5c68631cbe300032c9b99d84de9dae9fd984e3d2e69b0f6cc42ebebbf8d48332f55623fc038ba437789f4049329e9b0300cfd243769a165e910406ab48adbf943e3e0cf4e231361488d05031797b6afa66755412f3813d594ab0d4e14c371f5e29826eeb00c8aa5d595453ad9f2ebcf53497eea6072726526479dc8001b2209ae2ccc679f8dd35f2870c9d5f2a286c37aecff95d8b29f177afb1254ae8623694b6c8065f6daa2b474c9eb5a28dd967a43148b032f2bd27dd1da34657009183657a3e7b433b098b972bbe712f28c8c4a925074e123f4d2906f38fab6b27ce60d31eb42aa96ad5742d5da39290f3ebba25c04606d1c75d1d0f5a3f854c75ed509c3ece4bc224f3866d02ea0fd890ecbeb5696c1e0788c9fae69cce77b717ba79ce3900fbe19bc2da3a90f2ffba783d0546de722a304ddeb93364ecf9ddc383a9fcc8633dfaa6b45e350ac8ac657fd3a2de81d8aa885612377878596b705b0487110dd055929ca7c4ed453b9b1b6f76d4e81b768b99ec3b91e80b4bd1cd508652dbecbe0360272b746b51f4f185cb899358f4e3c34289a199b7caa68d6d7b2cd0c2299c5b8ffd8c25b0b9b853ed64a1f2f7490f2f0c40d2bb00005fd5f38eaa4b2e86e956529e3548deed1dc08d05c7c64388fe3c1e257c96b0deaa295b88e53fd54cb664fe6b0173f090cd8eced77ce23549797dbb7384f734f93b6387950f1aaf4d11034958b1147ff4334a126d19fa154615db94cbcd669ee92e40dc29eab9e9c495ef11c170b10e5136a9d9b89d282b9b504a439c3f628c555e201654990df5f0786a605f761bec81c61aab4214a188d01fdfe05eeb2b7bffcbeb9aec1680ff46e4e568c85654f12205ee4a1e09a45095f1b33c2d9c14991c03e783eff2b9ca3e3f629f2580630a774b95045bfb8953abcef179fa4d7a056f68904a338b2dd196f1d8b583bfc612882ae806d8d61737378daf5f012ae570618e99902474001c89a7fa3fc4eb300464640d65124baf7fc6759f5d89c497bd58b99dc23f3662a9004f6824eb5b6f2dcd7bf95373f52ceea54603f0186c8913a1c60877210e1198fd5fd8db559edc33c3aeddf1510ca35bf7fd43f606708e22233a9a5ab3e07f7453b15916ae4754824d5a5d69a4ee93def102b82e5eea77b49dfc91c1a8196046dfc609b519105cb03fe7ff14020ebede4c074a31bd6c75761c17028088a2a0e0571be204d3e5582e65ff947c779acbea5b54fc7e22c33ce1cfa9bcf5f497c7dd6181d35eff07d6a58c1bce6fc0e539983c687fa06deec3d7f76119589805e851c6d9b9a83e587284de0bce001dd659afaa418a2ec7bb383e7bf3ab331b5fe715178d104bf6d6182aac0caa0916f96c2b830541d66b66c33b5036215dfb75178c3dc9d5b6890e2ff9a24a4f695bd29f579cc391e1c6851339c44ad9747054b7467af0c6018c4e1d42cc05a37d2914055a981c5c19be00aeec93a9926c9b9c2b3a355e5fe23b4f5f7b3fe3b7a0127a3408628fdf7e833508233c76b5e65ee4c3e0956601133fc2db18721cbb794e8a4eb9b05d717d4a104555eba36f84131cbdfbef5f50a2f2d1ec79a966297f9a82c7e6f632b0adc24a74315cb6dbce67217490804a66bdeee3d18e18697365832cb3633dabc57f9e51842c03ac2212f8ceeb2a00a6d8df2689cb459e021c6b6d498eb87196ca188359c46240b996aa269ec5a0948faa52851cac6a446a3dc94cbfb07d06cab94de81b6f242e938089fbd0b3aa6ae5946756de613a76f54a8d4984d8b35b318e8b3523138f52428472e479a43659758915a19ca7ab64ac41b24a878beec41a5fd72c61be7ed16595c7f129308f02825c20f4ee151340910eb4a83b1bf1afc4bbd9a6c2fca824ddb5f6d675234457caa4cad9f262c59f25ca39eb7bc37936a956197fb8e68cde8a93ec7750233c098928c71c165418f4c994c090c668b5f93345572370f40fa433b0dd6019f71ba85f496ef516ccc19bba1070bd0b0065a33868c5a866986f8aba3b1b8ef36393393760ee8ffb11b413f2c02421a7ad37315ae8863b9bffe75ca092a51e1e29e5d4539badfddb883a61e5261e44f289210580fddd15b1fe6c03f1503251149d120eea19b845beb0fb3fecf3417f2578f012da9602562aa668ab904de28321d69f9d14e772287677e18b2052a2594e294e77d3a440d0e9db239f0fef6d0221aca37be45646ad449c6a7b7b7ebcb15d44b3944468c787c829755971ef0a29bfc759bb758b34e7c6bcaef2743701c975ccb007e9bc7b4fed2c271078aa3a8e92c23e79fcaae2579cfbb28281f7bd007cbacb586592e6d7caf2e7c29726206ccbf0ae04491580a672ec33e36be3d3579412599b87dddca3fd49f93851a06f6580eba5dba45b9898837f0a8c462379a5cdad13e0aab4ab0ed540fd677386d340ef939c8681fddb681805a94d86103d27d605201885016de8721cd4e14da39d3fc993096b7c4edcb0e74016d58766e36f1487cacdd459b809c9eab4a7620fec106a5f7996eba9bc8c2160447ab80bbb2c11da5826672d6adbfce8b89b21da89312eeebdce2226295d7d441f8ddcd93c1cc2aeb36e25223e621c68bafe0bf56a9d74f7afa938bbcf95f8f2a06a93ff388ef2732298ff458f37fb461ee186f72b7b7dbc1635910f6e07e78880d3622ae4c21a818648c9d3d744160bcd282859e8d6310bbd5da48697d4fcde4388c15bce6b88bd9072b022cc43a32b1111a962ca587ad86a243042b7cf06c2e92ef28b8beb28fa124f21cddb517f005d851022aac9c909b6ad1971d0b152ee45c6fc3417a9a9958cdfcbd9214c6c27b9ed0e6380472ee1ad7f61f3f674a543b89f01ce5098403f3631c431e7434946cac100a2e5e6d2b7b1022ec2e9a31b8dfeb767962193cd9180c47f71e5588c08cce51d6d19d955f7aeabc2152b4654275aadc1301f7bca4fe44ecbff3beb5be94800de1f2a40a9d4bdad87dd67fd1317a8a7f15d748006650a8a3f3b01ea4c51ae30b886725a6592103770616e05afdcd13f34294069a4bc33f9d9d1e047d31b2790c2cf3d167ebdfd6aaf10711be070874896e50b461af49ff1b67c0e5ffe6227b577db858e22d26915fdf50a8300422d9558ab3c30253ae053e0ab82a4eb3dd351c93d0a2ead57741eea0415685d3182df8ccd33278494622c3000599bb44ab0eced2ca0d3aa4799d5e55c7fa438901b25c0d1bb1469788d255d4e97f3beae7c0a3f7123d173e60aea9d6cca6ab253d300f47a48a393f6a85bc6d9c1bee418e5623e4ad711375a1812c25ada0d5e355643054a84ffde761033ad200d9d63391898415e7fd91ec3bb509da8b0232b72bedf67c17e4ed874a281f74fe731d7d7cf1ab7ed7ddeef800bf633ebc7234a80dc564c63b28434bdb88764eb4d5aee6877f319bd6a7f48628a5620033f5d8bf298f46a0edbffc5222c229ced729d84ab6e934df172803dca9dc8ad760207529edccbb4a05a8801457b685b8d2cf5d92f23a48c7426a9ec4b6071634eb37a3d7c11457cadff24a033a04df2b1583b642a59ab2975a3742331e216b2c7d5467a07c38238bb8829813aba5a08b19012cf59b1b4888b2a25fcd3accd78050d9eb697cd7e85cb5c4cdb96253ca868ce497b1fe8e3339f4411bd5a93b1dd979b24ad29dfe1a645f470a6b429e3ebf3973625181264b68591a3e18bf5722793a4b2d12bc82a6691f6b01845058f8274ec0969f643bf725da840f68986c154e0e302cfc69f36a0e9713b6070548b681934433c1775e9c3663d087be3598a9c8031918249063933393924bf3ca146556bee8b46d3f37713945f85d472dfb40ff4da95a52d436fe0b28188e54844cd03bf505e58f0df8542270ab01a118cebd9c982ccd2ba6e67dddcddcb6610353a4343969685550cd404a9c46dd2adae5f5e63dd38abfb62e08034bbce68c3339882c127d3b891cd4b5dbe39bb0bfa40b84f1334a064fcef0a6fc4cb4f50dd378d690aa9f8cc99f986ab9fea09a44fb51f30cdc11b7afdef75b076b6c8a61f76d3c227335f7f5e06cd0e47299ec8409a1f306b97dfd6403de34661a9fb2c6eb142b0cf9763515d26079b8a737aa6133f92ec5cefae6d3d073839bb013c479ee54d9b269fc72bb538cd7177faa885888326d632269288825a8b3448561b8e9c2706aa9a2d94caaad15797a31247e86a8d4eff058f1a0df5a36b3881d327fa7704c6f3f736a27d74380b4d5e916108e13e88b8cad2aadf35571bf8f4bb3f6dd2a8e1c7171471354aad7825384c262de076654d82a122891e5976e2e0a989900ed03b3cd10151d41a8ea0e202b4f989069bd10e94c87a72855d71eba8364b007762ac456c091dcf88a16b7e866eb78ac15e9adc2c74d764edef7634aac49a4d548da7d098f93535d4a918eb53faea0a882629aba77dad5742d04f789670bad982aa92c0c08e572987f4c67e609796dec92c2947ce5e5e0b1edbbbc2f7d74f00db4fd7fbbaa65abe56204ad78ddcbe86db50b2e5364b3cf0fb96ef1375f8a16cbf6c7f1a7d785bbaaaf70100c5fc3797740e4eaa5f4d0eb092c547e98e632a9cfdea1fb3db1ef91041b515c8e0d2d9a1713859b7d6f9f6790caae8e4be8a01d15d7ca691ed1e0eb2551f1a82360d3712b75d357208b8a6ba4b83d0a15e5d0b52df36cbc12c1de8068c956d0b32667dfc6fb2d0300776b68f277a7f63638baa41ddc39f806ee3217b421aafa8e658505c8d633c65d838dbc82df07f485c51c4d7c00ba1ee62b30a3c71c1e41ff9189737eba3ec1badd19520a8b5395d971253ad3e10a8eac37b264f148e2e0db2517ca52a4af9a60570e3540882548b39bfe87406569523f1c72ae7f495875bad017b8ec5ea8095bcc611589dcbd0b19e4672ce0daf12ea1885ca8b07c8a5363d04c0e1f6de9cdaa24d4e9be88e3d72bac1289658c6cf1e31b29e5be69a50c25d09093dcc80d67ca3797c361789fed0ca2d1a6896ced37047ae15bbb1ca2c50ef671f8a647442e8b88f96911cd04362d8518bc339ce07df9f9d73419b932b83b3a64575e01e25d150461beda9f7cdfeee5a60e4f136a6c776b9f42ac722b7ddf4d4849b70567c6a6309c256c26e13945415c622f57f3a438a597e2675a615a784727fb54e3549248f954c2885e8a4d4c972b8a60826d0cd2cffb5bfbf59973c02909b6a390f2f3da34dedbbac9669c633fd51f407c69055bf23407bf57400eaf9e14ab9d29122b1a8d92c08d76aca2210374ec01c7dbb298ee20bf601b6a734bc88410af4374aba57c5dd0d6b47313ba6e7de439c999f6d590966d690aefcae0a419ff1c2721e9d6c8fbdbd27926d58999c09d47d94804000600050000003f00000000000000ff01000000000000fcffffffffffffff02001000000004d3000004d200000000050000007f8000000a004e2200000003000000000000000000000000000000010180000000000000"], 0x1108}}, 0x40010) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, 0x0) 00:57:58 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) 00:57:58 executing program 1: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:58 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 328.644365] binder: 12543:12544 transaction failed 29189/-22, size 24-8 line 2896 [ 328.669413] binder: undelivered TRANSACTION_ERROR: 29189 00:57:58 executing program 1: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 328.690786] binder: release 12545:12547 transaction 447 out, still active [ 328.698708] binder: unexpected work type, 4, not freed [ 328.704139] binder: undelivered TRANSACTION_COMPLETE 00:57:58 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:58 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 328.815279] binder: send failed reply for transaction 447, target dead [ 328.934372] binder: 12555:12557 transaction failed 29189/-22, size 24-8 line 2896 00:57:59 executing program 1: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 328.991588] binder: undelivered TRANSACTION_ERROR: 29189 00:57:59 executing program 4: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_tx_ring(r0, 0x107, 0xd, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) prlimit64(0x0, 0x9, &(0x7f0000000700), 0x0) r1 = pkey_alloc(0x0, 0x2) pkey_mprotect(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8, r1) setsockopt$packet_int(r0, 0x107, 0xf, &(0x7f0000000280), 0x4) [ 329.036992] binder: release 12558:12559 transaction 452 out, still active [ 329.044314] binder: unexpected work type, 4, not freed [ 329.049616] binder: undelivered TRANSACTION_COMPLETE 00:57:59 executing program 3: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:59 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x1c, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire], 0x0, 0x0, 0x0}) [ 329.177698] binder: send failed reply for transaction 452, target dead [ 329.340304] binder_thread_write: 1 callbacks suppressed [ 329.340341] binder: 12567:12571 BC_INCREFS_DONE u0000000000000000 node 455 cookie mismatch 0000000000000001 != 0000000000000000 [ 329.414921] binder: release 12567:12571 transaction 456 out, still active [ 329.422168] binder: unexpected work type, 4, not freed [ 329.427460] binder: undelivered TRANSACTION_COMPLETE [ 329.552751] binder: send failed reply for transaction 456, target dead 00:57:59 executing program 3: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:59 executing program 1: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:57:59 executing program 2: r0 = openat$vicodec0(0xffffffffffffff9c, &(0x7f0000000280)='/dev/video36\x00', 0x2, 0x0) ioctl$VIDIOC_ENUM_FRAMESIZES(r0, 0xc02c564a, &(0x7f00000000c0)={0x0, 0x32315659, 0x0, @stepwise={0x2, 0xffffffffffffff7a, 0x1000, 0x100000000, 0xffffffffffffffc0, 0x2}}) r1 = dup2(r0, r0) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r1, 0x40605346, &(0x7f0000000040)={0x4, 0x2, {0x0, 0x1, 0xb1f4, 0x0, 0x2}}) 00:57:59 executing program 4: r0 = socket$inet6(0xa, 0x200000000000001, 0x0) getsockopt$IP_VS_SO_GET_VERSION(r0, 0x0, 0x480, &(0x7f0000000040), &(0x7f0000000180)=0x40) setsockopt$inet_buf(r0, 0x0, 0x100000040, &(0x7f0000000040), 0x0) 00:57:59 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x1c, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire], 0x0, 0x0, 0x0}) [ 329.805927] binder: 12576:12577 BC_INCREFS_DONE u0000000000000000 node 460 cookie mismatch 0000000000000001 != 0000000000000000 [ 329.867906] binder: release 12576:12577 transaction 461 out, still active [ 329.875128] binder: unexpected work type, 4, not freed [ 329.880437] binder: undelivered TRANSACTION_COMPLETE 00:58:00 executing program 4: r0 = openat$rtc(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/rtc0\x00', 0x0, 0x0) unshare(0x400) pselect6(0x40, &(0x7f0000000300), 0x0, &(0x7f00000003c0)={0x8}, &(0x7f0000000400)={0x0, 0x989680}, 0x0) pwrite64(r0, &(0x7f0000000100)="8e856e833d38eed3a209d0ac7bcd2792dd89f8e10c4b93fd64c3f502e8459ef57443c689e9aeb7e6c64cc6d3ccec91ab5747f9574b305adcabb8ac34ab77f3a74089968fb2412b4ab3b044e4710257f2b9d121e358e04f18b8944f38d239d089e864fa4de4c5d7f68e53a366df2c5964857a610549777a242aefe0a5a152adfcf0e2a495732caad73ae30fdafa022cfb5909bda87a631d690969a09cafa44b067a5d9b2f01bffd4367c858a6c9f7df791a07adbec2092b100db362be718f4cae200f6dd77811a564b0fb0f91f02c8f7c94fc8ab2d5e724b781a80d07f82af4cc5d", 0xe1, 0x0) 00:58:00 executing program 3: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:00 executing program 1: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:00 executing program 3: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:00 executing program 2: r0 = syz_open_dev$mice(&(0x7f0000000200)='/dev/input/mice\x00', 0x0, 0x40) ioctl$EVIOCREVOKE(r0, 0x40044591, &(0x7f0000000080)=0xa2) ioctl$GIO_CMAP(r0, 0x4b70, &(0x7f0000000040)) socket$key(0xf, 0x3, 0x2) perf_event_open(&(0x7f00000000c0)={0x2, 0x70, 0x400042, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) unlink(&(0x7f0000000140)='./file0\x00') syz_open_dev$mice(&(0x7f0000001240)='/dev/input/mice\x00', 0x0, 0x80) ioctl$VIDIOC_S_AUDOUT(r0, 0x40345632, &(0x7f0000000180)={0x2, "7aeaa00031e453f542f6780e34d51ce186c653ba6c73b42f1f7a78b14dc7e5d5", 0x2, 0x4a456c53f70bf28a}) r1 = add_key(&(0x7f0000000000)='logon\x00', &(0x7f00000001c0)={'syz', 0x3}, &(0x7f0000000240)="eb224c5d7d5c82d8625a6e752005bde1343b5986f36bb7d819083913d069fbd6f44a6063293c0ba6427d77897d6092651918e4db1384d6276c200e46036a777ccbd4851f9d5dc501303cfa995a88689b7397166ce319bd7d63d3c9a790025561fe73122a22ba5e487fb4ded8c2ab88e7f232d5baa2bf160ffba3f004e4504149b550b750573ceeb2cb8e1935774d8006dca44357200509369e62b479bafdebc8c8b85ef0f3dc8476851bffb693da87f80cf1b2f11d1a245a9e1ad85c395bf1b4ca46030bf7fc01bf495714e568b5e152672b55a665e9a70d719ee9a674055ca3ec6c74c4ae66e4c68e19efdfcb6d3315dd910d6ccf1855270c4d75bc688011b76a2fe2ffc4d7470fb87931a81bfb2fac29a7b94735737d3359492cff8a1daf709a0420128b13103b8ec3ea02d10b07944e228eea566016599a9ec0243ce2176639325333045b5b121eb236a7af137b67dd1365c903223ccdae6f50d8ae7ee56a3c7021ef0ed5ab13006821d9a1a84b833444eef83935b91be2c978edf2096411b178c6feb2825ae7c8e78b521b8ddb779af3ec29b6a4d2ebf372fe467f4797596340cf153559fc16433420ef8f69fdab4cf249eedfbea28d5785fd7986d46b41722af894cda7f20d46e38e86513d96879f16f075dc144744c4377d9abb8a3f9b770ef0a5bf9e7d23a3a792969d26e2bb098c9f7ae897f5a846eb7413d070a91eda4d54442149418d04a6743f31e26ab2b89c1335f406cdc01dec4f4d8aa1c18267951a6d7655eef6e5a71011d56da4c29833f674fcf16e309da176cd41bd9c83f0d9170808f2802641878764c965fbb2a336ddae7f3312f3dacd76e46a6e78678a2a71e22685fa9e281ce571dd6b5f19a696f6155bc5adc51b397cf1439d7e40ce94a8173445dbfc995953f54d846f7e299554da8389aac707d62e8ebd9209a64c201389867ba50327ed0b59cfe8e30bf179adb22ef3d760ea0cdcb1f1e4cafb1f5f1c6ca93e072142365dc0240fbb5d7447e49a53e4b6edb137e772d793874bd7576647b1cac613d2de6cf4e73b911c3fbb6610aac8d41c8657214d9389eeaa74677d92566d0d7bc445a107ed5768b5108d3f725e46a4e0a7dc03ad9b229734f8bba70b32f6c6171732d2b7036bf429adbc3c7f571e635f94ce4e85173210912e0df7a5dae1b7fd498d81423a74d27915fd45e7205e198d74b744f0e4da1d66e18635a186c742ca6c0b7591df9a1ba10e4371a655a3b954e7551b6f8e8ddcfa1ec6a881296c003b89063c4dfd4b31cc635c7ffe774b9e769a597e8fd765eba8b07cc95836de9bc8793d7ddea238fae7bab1e916acc249547378c6bad7b5521f7b1269bb88da06d7c80be67d593d67fe3f0d5756a1625aeaebbb2450c989206cd63b46961daecb7ed43c8903ffb20b213ec3801cec84b5b985d125ec3c7e95f45d0ed09b6aa7de1850a647b0b690343b9dbd565d51f9fb6500c2bf28dc5899dae008220d195053ebc3356255eb31a9364ae930831f7a3b8a4e95cc8d4242066c389e61fb1dd54107072765ecabf9ed1a1ecd87e03cd089fde8bea051b2e393adc76a42663162eb1d34e8f675d34e8cd502f5bc2aa8548860b7bb58ff32a11c823628b1e8fc43999efcf866f1dc334f752e153ba572989c9edd00d37d0b99cf21a57a6587f1f871e0fe22be47f5d3188fdf8e2b498c48d17596ef22e84c1aa084112b94109ca661717058e9a42637cff9b57227c48135a0221145fc2a1bd87e3593e7248c9b7d5ef4443eb072d4390749022b16c91fc776d35403cb469509595841514d06979187dda7912af5d41f8a866d0ac1fe8e4207c8252c583994808b549aba2aff9c591b3d9c5d82e33797b60d22c4a376f1cf3e0422aba839e8727c818eb030e14ee58d0e69bb8ab4c8d35f45279eae0cc4f2f1c85f2875f8759aa462819b60de4d4a4b4e438ac68da81b99a33b06dda0acd54292fa389591986a838590aa01ee206e6ca09289735c6a26cbca3e72a809075fa32d6d4a7d7e23ecc57d8226ba15862a95e62b5f420ef2de13e41feb6286e50a85e6974212a3221239fa151430b210ce123e800b81028268bbaec883d2e9b355fb49c68cc778310332eec05ef35130827129284e92fa754da4e19212e69cd83af3f94ec2ce87d7c0e2b8c6cb844ca7bb90ef11d2e16e7f90f013092b68f9c9e0e5fa556e4c02aa273e0598d6c649d99419d0d40baab277fc7ecb62f210cb62f74306f8c0ad4c6c58048d49685bc024bd4e1241acaea8ebf493ba450ecd1c66039f13df8ea7c7335dc7bc54f73918b4a20a426fa6d82b89aad54220d8f8b1d748af4c1002b3a2e641f679ab5d14f6f100c006c85c8d80c242a1cd6ec12d20695cf9bb365e16b59f71930368a06ec6de4866aa55d23629781107e34b0a06f6e610287ea4cbb0f5f1858cda4f615293e8d128bace8db7e6f1afe83bf0d13ed906992ecafad90bb3a39feaf2d7796cce2d4df4f7412d7da3ac81786003fb0366e9cd204e29fccc9e93446e4a5cf899d7944a1af11c0c0ac35af04fc146f1151095793026df33bb2e882014023f9e3b04a02a5156523f1273397921f477c09b477f79b62b16d036c58af53211b3877fac49c1eb8745a932828574a106b95f327b889b90a2160cf343b1444cd40c921564aeeee047a409837ce6bde334c615f6c85bbc6b306fc7e06dac14fe70fc4ad8950bf3864caa92e6ea399d4f193d4ed305c62f04e3b1719576f33ec32f7e9ea37c06f66a6276c012de88feb7baa116ac32b8cf11c5d3cacaacc31c73897eabe95341325e6b096a5959118a28c7e12c02ff682b6322f2641f4f50743479e5f1c05f487339c0536e3676da6f6929658083732dd07a6142bfaba19071fefb86bd108a917eb44cae6c0abe7da7298e36be7f7fe21a30b1342eaf2dd694ea65d577a425dfa8b7b13261353e9644cedc851188ee5a9b7418e21ab844766b67e1526b11cccaf0a3df7aa8cbab122fd7c5249a2357e63cba3a4a14310943672c67d23dacd936198ba175f77b73d3a25856ff758cde4594e836b5f10b2ea425c37c0b8d5ecf5c748d3f3b1979576a2be060630d163a8c4ffa7f0c57de53423d2a9882990ff8c2144246905f19816a86f9083d4bbb097fa6094af11e87463c4fba0bb1db2f60d5c311806cacf65356985f9361775dc19cf17e6e6ebc0c3f9b0703d424f523f4ff29312c7f7fe5e191f142a33a131229bb412e6f1f6a23d5e76d72d1c9d34661bc947bd03379e823b2975549068cb4f79bb9fd58185e61fc43098178f0885167500bd4ff3feb14a1dcbfd0da361350aabf0e72b28b3e15d9dd8137a656f2e0b53b4e93b54560bd64c5efcc6bdc56d2fa99ea3fccdc46475eef817a33bebd71b8a2012ed64655d78cf993287359e74e415267406bd530250493e8a597f43a7a2c0996ea3b75c76445a8c5193b3da6d4dd4913a0a31071df034c9c3d93e7e3ba5ffb78d63f283eda64c7e444e3f8b414979353b7585284a3cbc6b65b069a52af6af760edae54759a6e031f848120a7a38a1c41f380474c1aa26854095bdd390d68b4223d280155a746ddeb204123f7fbe924030ce29d14f5d8205520c042dd8f192026a4a4303249acd39e2814e87605ff30cd5a4f9afe25ab402620d4f5efe0f529f92506c371b872876cd063a4f387ba93b42dc6645e3b65161138b5ccf673981ef8cec620c1b4ef4846aa9c26d9650e86b6afd575f0014dd6c4eb5229ede163794d37ed39e704c4061810b0f23d3d54d2d2b26205f682ae20e4f8fdeafd0d2de90a1873cc0b6ebb4862c42aa97c29d4c87daecd552e0cdbb110a66ca74e729eceecf31a4bdc1df1332361612e0b3ba09cb6b2215359481dcbf44c1721a48d4ab11ef52d50cdf7776e1e0c5a7b2631f4fee097a3a060a43e93c69c8f0e7f7700ffa9812f9ac0a384ce49b56c69f47499b7aea24980e0a9ea830783a2db32f0befe66499d42b7965f5f1a5d5e0bfde70fc02a7196c2b87885fc8eaad9ef18d6dac2424dc6fc90527b449fb9814c52b07de6a86893c2cfb1547a8b40f459c7e786e4c5e0ac454a40cd5659b473c9df202fda4c68ee3044969c5dba18746f6c3a22a20287e34f5e14b4e52c0ef1dfdde47c1d76a64f4c9be348cd8791013844a58d5fa6d2f24e1a985e6df0bf2e113aa8cc3c5bbda4b1e1e44c3d80081b1d893265235c33f42d1393d2cb7d7b83c379490c890db9cf61933a0d73ad57201e9fc3dda1ca8df9762be642b0f467a6ff6fe5e0b2f189ca5e75d18b5f13b60195f5533b8be91c0d6b05a54c04ad02d936e35dc014a04c92a179c4f0200bdd9d4f23536f118eeecb885a4470cec8eb7c56efca8311b6bf9c21e5835c16ba21f8b1ba68df70aed8c50b5d267ca5810fcb8193a3f31cb6c395121633bad04dfb97bb59bb65a024d169e969158e3f9acd63ec55b10b8af1a77ec13b2360227719f75159f840567ff0982079f06a3b85cf01ea756b6bf0fc5221e1740954da050003e1bfd30e76427d69c1050d6bb59deb35f4c0fe38428d6c36508980af70a6a68b2585d3c6c50a22dd6566d02c93e71c2ff48298b91cd331a9e42f606a96b6cfa470a4ddc35ac1fbf2b665574025845d495d5cf495b0542d92eff8da0627a8f251a40c9dceebca6455d6cd311aed243e5f7dbfca1bb83ab6723b77e0565cab1aa928a9822cac07bb986ebe6bf714826c0ba88ac4f026c3b04225d17810651bdf0c20e43a7ba207e40f6a185cf27a22159d1fe2af66bf07517925af9cba4341101e4af894a39d9de55d56b69a010486ba658c2ff27213426d514992539996c33da896dc13b072d48eea36579b827b80d624f43869b96ac715b35099ffedf8e55fbf1ac1502ead3dc24eb233f04ef494874d56923cbab7ded63f39725988f7f59245fddb47e2fd223ab2819056d608251a706a45b4ad132df95221fc022ee7ab5c8c9c2fa53abca3b68107f8e34596a5a7ae825520fa3a0110478d9aae25c8b685968d02e9543b82467bad885748f7e6d7048c4dd9d92aa86f1636ba196e9af6405be9b024ed78ec2ee485ce49abd4d72edd2272b60c3a66d61c2ca9cbdfa56ba28bab6b6866bab3bc266d0b132905cdc1de7c05c5ec6d2cd242853ca3bc053024aa93721d3a50dc14bc7ecbfca067451b4701a8b8a843ea2f87d71aa6bb0ce1230a89e09f0401010df6ac8e032261813f9498606025673271afcfbab4b13d9c7887df5d17d967438c21117716a46e07b1e052beb46ce471d2d564e6eec19bf02c42a611f7dcde8847bfa94e019823c4597e9aaee7d1d3a5a1fceea4f1794e221c6bc963850a2c04c61acb12663eb4b7ad4602089b95370ec598f5104dbe4b97a9896e5564963db76ad14c9b0663c3b4ec79578c3a2be2a8b997052d38c8ef9d71fc895f149ee44c86d47c07e7ac56b72535de826a40c1aa951314e638e062a47c9f81003610cd35598d8284eaf16302b5ffe79f0018bae846ac1f47113ad1f71e66eb1ad4b1b7d282a80fb65791e04490a1695d8ed675074e4f335f22584b81ee43f084d565b0ff839d454212bb3d79eccb954dd0c6c7b14332c7249e683d418e5f79d2dc032c4b41dcc82cac2ed45239976a8fc3d7e0b8bcb2d1ad3159e67f26fcd9e7615109cace288bfee7f3475655b97299840b1f4cd99152fce8975c606df05bad5f59a6618fd85489276cf9254711a4321cf0d142b717b4ca005e241476c807523648d3fa5c77cce65f4253d2e4ff1bab101b7513f7a344a623fd5955f9e9", 0x1000, 0xfffffffffffffff9) keyctl$clear(0x7, r1) 00:58:00 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x1c, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @acquire], 0x0, 0x0, 0x0}) 00:58:00 executing program 4: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$sock_int(r0, 0x1, 0x3c, &(0x7f0000000100), 0x4) pipe2(&(0x7f0000000000)={0xffffffffffffffff}, 0x4800) ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000040)={{0x8000, 0x9, 0x8, 0x5}, 'syz0\x00', 0x13}) [ 330.197369] binder: send failed reply for transaction 461, target dead 00:58:00 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:00 executing program 4: r0 = socket$inet_icmp_raw(0x2, 0x3, 0x1) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x3, &(0x7f0000000000)=0xbf207ff, 0x100, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x12000, 0x0) get_mempolicy(0x0, &(0x7f00003e8000), 0x401, &(0x7f0000336000/0x3000)=nil, 0x3) [ 330.460935] binder: 12610:12611 BC_INCREFS_DONE u0000000000000000 node 465 cookie mismatch 0000000000000001 != 0000000000000000 00:58:00 executing program 3: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 330.545541] binder: release 12610:12611 transaction 466 out, still active [ 330.552734] binder: unexpected work type, 4, not freed [ 330.558045] binder: undelivered TRANSACTION_COMPLETE [ 330.635874] binder: release 12614:12615 transaction 470 out, still active [ 330.643110] binder: unexpected work type, 4, not freed [ 330.648431] binder: undelivered TRANSACTION_COMPLETE 00:58:00 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x58, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:00 executing program 1: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 330.726762] binder: send failed reply for transaction 466, target dead [ 330.733746] binder: send failed reply for transaction 470, target dead 00:58:00 executing program 3: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:01 executing program 4: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = epoll_create1(0x0) r2 = epoll_create1(0x0) r3 = dup3(r0, r2, 0x0) r4 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r4, &(0x7f0000000040)) epoll_ctl$EPOLL_CTL_ADD(r4, 0x1, r2, &(0x7f00000001c0)) ioctl$TUNSETNOCSUM(r3, 0x400454c8, 0x1) epoll_ctl$EPOLL_CTL_ADD(r4, 0x1, r0, &(0x7f0000000000)) [ 330.954451] binder: 12625:12629 BC_INCREFS_DONE u0000000000000000 node 473 cookie mismatch 0000000000000001 != 0000000000000000 [ 330.966450] binder_transaction: 1 callbacks suppressed [ 330.966473] binder: 12625:12629 got transaction to context manager from process owning it [ 330.980280] binder: 12625:12629 transaction failed 29201/-22, size 0-0 line 2887 00:58:01 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:01 executing program 2: mmap(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x0, 0x1b071, 0xffffffffffffffff, 0x0) r0 = socket(0x200000000000011, 0x2, 0x0) setsockopt$packet_int(r0, 0x107, 0x14, &(0x7f0000000180), 0x4) r1 = syz_genetlink_get_family_id$team(&(0x7f0000000040)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000001c0)={{{@in6=@mcast1, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in6=@dev}}, &(0x7f00000000c0)=0xe8) getsockopt$inet_mreqn(r0, 0x0, 0x24, &(0x7f0000000100)={@empty, @remote, 0x0}, &(0x7f0000000140)=0xc) getpeername$packet(r0, &(0x7f0000000340)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f0000000380)=0x14) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f00000003c0)={{{@in6=@local, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast2}, 0x0, @in6=@ipv4={[], [], @dev}}}, &(0x7f00000004c0)=0xe8) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000500)={'team0\x00', 0x0}) getsockname$packet(r0, &(0x7f0000000680)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f00000006c0)=0x14) getpeername$packet(r0, &(0x7f0000000700)={0x11, 0x0, 0x0}, &(0x7f0000000740)=0x14) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000780)={{{@in6=@ipv4={[], [], @multicast2}, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@dev}, 0x0, @in=@empty}}, &(0x7f0000000880)=0xe8) getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f00000002c0)={0x0, @local}, &(0x7f0000000300)=0xc) getsockname$packet(r0, &(0x7f0000000a00)={0x11, 0x0, 0x0}, &(0x7f0000000a40)=0x14) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000b40)={'vcan0\x00', 0x0}) getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000000b80)={0x0, @broadcast, @broadcast}, &(0x7f0000000bc0)=0xc) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000c00)={{{@in6=@ipv4={[], [], @local}, @in=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@dev}, 0x0, @in=@broadcast}}, &(0x7f0000000d00)=0xe8) getsockopt$inet6_mreq(r0, 0x29, 0x1f, &(0x7f0000000d40)={@loopback, 0x0}, &(0x7f0000000d80)=0x14) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000dc0)={'vcan0\x00', 0x0}) getpeername$packet(r0, &(0x7f0000000ec0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f0000000f00)=0x14) getpeername$packet(r0, &(0x7f0000000f40)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000000f80)=0x14) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000fc0)={'bond0\x00', 0x0}) accept(r0, &(0x7f0000001000)=@xdp={0x2c, 0x0, 0x0}, &(0x7f0000001080)=0x80) getsockname$packet(r0, &(0x7f0000001180)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @link_local}, &(0x7f00000011c0)=0x14) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000001200)={'veth1_to_bridge\x00', 0x0}) accept4$packet(r0, &(0x7f0000002340)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000002380)=0x14, 0x80000) recvmmsg(r0, &(0x7f0000002600)=[{{&(0x7f00000023c0)=@hci={0x1f, 0x0}, 0x80, &(0x7f0000002500)=[{&(0x7f0000002440)=""/62, 0x3e}, {&(0x7f0000002480)=""/106, 0x6a}], 0x2, &(0x7f0000002540)=""/138, 0x8a}, 0xb848}], 0x1, 0x12000, 0x0) getsockname$packet(r0, &(0x7f0000002900)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000002940)=0x14) getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000002980)={0x0, @broadcast, @dev}, &(0x7f00000029c0)=0xc) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000002a00)={'team0\x00', 0x0}) getsockopt$inet_mreqn(r0, 0x0, 0x27, &(0x7f0000002a40)={@multicast2, @loopback, 0x0}, &(0x7f0000002a80)=0xc) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000002ac0)={'veth0_to_bridge\x00', 0x0}) sendmsg$TEAM_CMD_OPTIONS_SET(r0, &(0x7f0000003640)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000003600)={&(0x7f0000002b00)={0xad8, r1, 0x8, 0x70bd27, 0x25dfdbfe, {}, [{{0x8, 0x1, r2}, {0x4}}, {{0x8, 0x1, r3}, {0xb4, 0x2, [{0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x9}}}, {0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x8}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x8}}, {0x8, 0x6, r4}}}]}}, {{0x8, 0x1, r5}, {0xf4, 0x2, [{0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0xe9}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x1}}, {0x8, 0x6, r6}}}, {0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0x10, 0x4, 'loadbalance\x00'}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0x4ccd}}}]}}, {{0x8, 0x1, r7}, {0x1a4, 0x2, [{0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8}, {0x8, 0x4, 0x7}}, {0x8, 0x6, r8}}}, {0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24, 0x1, 'lb_tx_hash_to_port_mapping\x00'}, {0x8}, {0x8, 0x4, r9}}, {0x8}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x1e000000000000}}, {0x8, 0x6, r10}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x5}}, {0x8, 0x6, r11}}}, {0x64, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0x34, 0x4, [{0x1, 0x1, 0xc52, 0x80000000}, {0x200, 0x1dbbf90bc000, 0x7, 0x7f}, {0x0, 0x18000000, 0x5, 0xc597}, {0x8001, 0x2b, 0x9, 0x7}, {0x100000000, 0x8000, 0x80, 0x8}, {0x7, 0xffff, 0xffffffffffffff00, 0x5}]}}}, {0x3c, 0x1, @user_linkup={{{0x24, 0x1, 'user_linkup\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r12}}}]}}, {{0x8, 0x1, r13}, {0x178, 0x2, [{0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8}}, {0x8}}}, {0x3c, 0x1, @enabled={{{0x24, 0x1, 'enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r14}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r15}}}, {0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0x10, 0x4, 'loadbalance\x00'}}}, {0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24, 0x1, 'lb_tx_hash_to_port_mapping\x00'}, {0x8}, {0x8, 0x4, r16}}, {0x8}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0xfffffffffffffffe}}, {0x8, 0x6, r17}}}]}}, {{0x8, 0x1, r18}, {0x88, 0x2, [{0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x400}}, {0x8, 0x6, r19}}}, {0x44, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0x14, 0x4, [{0x4, 0x2c4a, 0xde8, 0x1}, {0x6, 0x401, 0x101, 0x8}]}}}]}}, {{0x8, 0x1, r20}, {0x1b8, 0x2, [{0x3c, 0x1, @enabled={{{0x24, 0x1, 'enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r21}}}, {0x5c, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0x2c, 0x4, [{0x10000, 0x100000001, 0x5}, {0xffffffff, 0x3ff, 0x0, 0x2}, {0xffffffff, 0x8, 0x100000001, 0x3}, {0x4, 0x2, 0x6, 0xfffffffffffffff7}, {0x7fff, 0x9, 0x3f, 0x5}]}}}, {0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24, 0x1, 'lb_tx_hash_to_port_mapping\x00'}, {0x8}, {0x8, 0x4, r22}}, {0x8}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8}, {0x8, 0x4, 0x6}}}, {0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8}, {0x8, 0x4, 0xa6}}, {0x8, 0x6, r23}}}, {0x64, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0x34, 0x4, [{0x4, 0x0, 0x3}, {0x9, 0x2, 0xfffffffffffffff9, 0x2}, {0xe3, 0x9, 0x2, 0x8001}, {0x100000000, 0x0, 0x3, 0xfd}, {0x9, 0x1, 0x5, 0x2}, {0xd7d, 0x0, 0x4f20, 0x24c}]}}}]}}, {{0x8, 0x1, r24}, {0x15c, 0x2, [{0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x8}}}, {0x3c, 0x1, @lb_tx_method={{0x24, 0x1, 'lb_tx_method\x00'}, {0x8}, {0xc, 0x4, 'hash\x00'}}}, {0x38, 0x1, @notify_peers_interval={{0x24, 0x1, 'notify_peers_interval\x00'}, {0x8}, {0x8, 0x4, 0x7ff}}}, {0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8}, {0x8, 0x4, 0x10001}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0x6}}}, {0x3c, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0xc, 0x4, [{0x8011, 0xf78, 0xcd, 0x7fffffff}]}}}]}}, {{0x8, 0x1, r25}, {0x218, 0x2, [{0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24, 0x1, 'lb_tx_hash_to_port_mapping\x00'}, {0x8}, {0x8, 0x4, r26}}, {0x8}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r27}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8}, {0x8, 0x4, 0x5}}}, {0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8}, {0x8, 0x4, 0x401}}}, {0x38, 0x1, @notify_peers_interval={{0x24, 0x1, 'notify_peers_interval\x00'}, {0x8}, {0x8, 0x4, 0x2}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8, 0x4, 0x6}}, {0x8}}}, {0x3c, 0x1, @user_linkup={{{0x24, 0x1, 'user_linkup\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r28}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8}, {0x8, 0x4, 0x400000}}}, {0x3c, 0x1, @enabled={{{0x24, 0x1, 'enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r29}}}]}}]}, 0xad8}, 0x1, 0x0, 0x0, 0x20000000}, 0x20008004) [ 331.154932] binder: release 12625:12629 transaction 474 out, still active [ 331.162277] binder: unexpected work type, 4, not freed [ 331.167606] binder: undelivered TRANSACTION_COMPLETE 00:58:01 executing program 1: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 331.207159] binder: BINDER_SET_CONTEXT_MGR already set [ 331.212757] binder: 12638:12641 ioctl 40046207 0 returned -16 00:58:01 executing program 4: mkdir(&(0x7f0000000240)='./control\x00', 0x0) r0 = inotify_init1(0x0) mkdir(&(0x7f00000000c0)='./control/file0\x00', 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000180)='/dev/full\x00', 0x2000, 0x0) setsockopt$inet_mreqsrc(r1, 0x0, 0x2d, &(0x7f00000001c0)={@rand_addr=0x1, @rand_addr=0x4, @loopback}, 0xc) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000023c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) inotify_add_watch(r0, &(0x7f0000000100)='./control\x00', 0xa4000960) r3 = syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x101001) ioctl$PIO_UNIMAP(r3, 0x4b67, &(0x7f0000000140)={0x1, &(0x7f0000000080)=[{0x8, 0x8}]}) open(&(0x7f0000000040)='./control/file0\x00', 0x200000, 0x0) close(r2) [ 331.270188] binder: release 12638:12645 transaction 478 out, still active [ 331.277360] binder: unexpected work type, 4, not freed [ 331.282823] binder: undelivered TRANSACTION_COMPLETE 00:58:01 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x58, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 331.401141] binder: undelivered TRANSACTION_ERROR: 29201 [ 331.406876] binder: send failed reply for transaction 474, target dead [ 331.413745] binder: send failed reply for transaction 478, target dead 00:58:01 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:01 executing program 4: r0 = syz_open_dev$sndtimer(&(0x7f0000014000)='/dev/snd/timer\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000000040)={{0x3}}) r1 = syz_open_dev$vbi(&(0x7f0000000080)='/dev/vbi#\x00', 0x1, 0x2) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000140)) unshare(0x20400) ioctl$SNDRV_TIMER_IOCTL_PARAMS(r0, 0x40505412, &(0x7f00000000c0)) getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000000180)={{{@in=@dev, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6}, 0x0, @in=@dev}}, &(0x7f0000000280)=0xe8) bind$alg(r1, &(0x7f0000000340)={0x26, 'rng\x00', 0x0, 0x0, 'drbg_nopr_sha384\x00'}, 0x58) r3 = geteuid() ioctl$KVM_ASSIGN_DEV_IRQ(r1, 0x4040ae70, &(0x7f00000002c0)={0x1, 0x80000001, 0x100000001, 0x402}) setsockopt$RXRPC_SECURITY_KEYRING(r1, 0x110, 0x2, &(0x7f0000000300)='/dev/vbi#\x00', 0xa) setreuid(r2, r3) ioctl$SNDRV_TIMER_IOCTL_START(r0, 0x54a0) ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(r0, 0xc0145401, &(0x7f0000000000)={0xffffffffffffffff, 0x2, 0xff, 0x0, 0x2}) 00:58:01 executing program 1: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 331.645553] binder_alloc: 12655: binder_alloc_buf, no vma [ 331.651406] binder: 12655:12656 transaction failed 29189/-3, size 24-8 line 3035 [ 331.673510] binder_alloc: 12655: binder_alloc_buf, no vma [ 331.679132] binder: 12653:12654 transaction failed 29189/-3, size 24-8 line 3035 [ 331.755544] binder: undelivered TRANSACTION_ERROR: 29189 [ 331.806517] binder: undelivered TRANSACTION_ERROR: 29189 00:58:01 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:01 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) 00:58:02 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x58, 0x0, &(0x7f0000000600)=[@increfs_done={0x40106308, 0x0, 0x1}, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 331.983053] binder_alloc: 12666: binder_alloc_buf, no vma [ 331.988792] binder: 12666:12668 transaction failed 29189/-3, size 24-8 line 3035 00:58:02 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x4, 0x4, 0x4, 0x4a, 0x0, 0xffffffffffffffff, 0x0, [0x2]}, 0x2c) removexattr(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)=ANY=[@ANYBLOB="73656375726974392e650d0d0000800000006d696d655f747b706573656c6600"]) [ 332.103291] binder: undelivered TRANSACTION_ERROR: 29189 [ 332.117870] binder: 12670:12672 ioctl c0306201 0 returned -14 [ 332.180235] binder: 12676:12677 BC_INCREFS_DONE u0000000000000000 node 486 cookie mismatch 0000000000000001 != 0000000000000000 [ 332.192380] binder: 12676:12677 got transaction to context manager from process owning it [ 332.200874] binder: 12676:12677 transaction failed 29201/-22, size 0-0 line 2887 00:58:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:02 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) 00:58:02 executing program 4: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) socket(0x0, 0x0, 0x0) ppoll(0x0, 0xfffffffffffffcd5, 0x0, 0x0, 0x0) ioctl$sock_SIOCGIFBR(r0, 0x8940, &(0x7f00000000c0)=@generic) [ 332.357148] binder: release 12676:12677 transaction 487 out, still active [ 332.364272] binder: unexpected work type, 4, not freed [ 332.369606] binder: undelivered TRANSACTION_COMPLETE 00:58:02 executing program 2: r0 = getpgrp(0x0) ptrace$getregs(0xe, r0, 0x7, &(0x7f0000000240)=""/240) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x7, 0x31, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8002, &(0x7f0000000000)=0x3, 0x8, 0x0) remap_file_pages(&(0x7f00002ec000/0x200000)=nil, 0x200000, 0x0, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000001300)={0xffffffffffffffff, 0xffffffffffffffff}) rt_sigaction(0x20, &(0x7f0000000100)={&(0x7f0000000040)="f70106000000660f54e740153916ed0c660f1bd8c4e1f85105b77a0000dd364108a608000000c4017ae6aef0fbbdd1f340aa450fc1cb", {0x3}, 0x2, &(0x7f0000000080)="c4e1ff705cc8bb08441be1c4e3197ce41e26651b35e2000000c4a201bfd5c4c2712cb726e86c846565f364d9e12ef30f2c9f7c856574c4c2013a4fe564673ef04310ae00000080"}, &(0x7f00000001c0)={&(0x7f0000000140)="c422797903c4c1dd652b36dceaf34190c403715c0ae8442b08c422fd3283be930000f341e069c4e1aa10e0f0410fbaba3067000049", {}, 0x0, &(0x7f0000000180)="c402fd1d0bc40379611c79756746ae449dc4a2790ffb0ff31ef2656565470f8500000080f00fbab4d6cb000000f80f01d6f226dee8"}, 0x8, &(0x7f0000000200)) remap_file_pages(&(0x7f0000051000/0x6000)=nil, 0x6000, 0x2, 0x0, 0x1) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x2000000000002) [ 332.500767] binder: 12679:12684 ioctl c0306201 0 returned -14 [ 332.535548] binder: BINDER_SET_CONTEXT_MGR already set [ 332.540966] binder: 12685:12688 ioctl 40046207 0 returned -16 00:58:02 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 332.555893] mmap: syz-executor.2 (12690) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst. [ 332.574707] binder: undelivered TRANSACTION_ERROR: 29201 [ 332.580478] binder: send failed reply for transaction 487, target dead [ 332.625287] binder: 12685:12694 transaction failed 29189/-22, size 24-8 line 2896 00:58:02 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x0, 0x0) ioctl$SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE(r1, 0xc0045520, &(0x7f0000000040)=0x1) ioctl$TIOCMBIC(r1, 0x5417, &(0x7f0000000080)) setsockopt$EBT_SO_SET_ENTRIES(r0, 0x0, 0x80, &(0x7f0000000180)=@broute={'broute\x06\x00', 0x20, 0x1, 0x1a8, [0x0, 0x0, 0x0, 0x0, 0x0, 0x200005c0], 0x0, 0x0, &(0x7f00000005c0)=[{0x0, '\x00', 0x0, 0xffffffffffffffff, 0x1, [{{{0x3, 0x0, 0x0, 'gre0\x00', 'bpq0\x00', 'erspan0\x00', 'eql\x00', @empty, [], @remote, [], 0x70, 0xa0, 0x118}, [@common=@redirect={'redirect\x00', 0x8}]}, @common=@NFLOG={'NFLOG\x00', 0x50, {{0x0, 0x0, 0x0, 0x0, 0x0, "11a1ce259c76c98bc9f3f434ac55545cf4d1a16d7a637906dfed7f0e9388a30bdcd138a356bb5624327dbfdb7a07896af639ffd6edae0ec19f656dfb496fea8a"}}}}]}, {0x0, '\x00', 0x1, 0xfffffffffffffffe}, {0x0, '\x00', 0x1, 0xfffffffffffffffc}]}, 0x220) [ 332.707782] binder: undelivered TRANSACTION_ERROR: 29189 00:58:02 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 332.772254] binder: 12695:12696 got transaction to context manager from process owning it [ 332.780894] binder: 12695:12696 transaction failed 29201/-22, size 0-0 line 2887 00:58:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 332.898505] binder: release 12695:12696 transaction 493 out, still active [ 332.906196] binder: unexpected work type, 4, not freed [ 332.911502] binder: undelivered TRANSACTION_COMPLETE [ 332.942334] binder: 12701:12703 ioctl c0306201 0 returned -14 00:58:03 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 333.034536] binder: undelivered TRANSACTION_ERROR: 29201 [ 333.040190] binder: send failed reply for transaction 493, target dead [ 333.054015] binder_alloc: 12705: binder_alloc_buf, no vma [ 333.059825] binder: 12705:12706 transaction failed 29189/-3, size 24-8 line 3035 00:58:03 executing program 0 (fault-call:7 fault-nth:0): r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:03 executing program 4: r0 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x1, 0x1) write$binfmt_elf64(r0, &(0x7f00000000c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40}, [{}]}, 0x78) ioctl$int_in(r0, 0x800020c0045002, &(0x7f0000000080)=0x10001) ioctl$int_in(r0, 0x5452, &(0x7f0000000040)=0x70) [ 333.145646] binder: undelivered TRANSACTION_ERROR: 29189 [ 333.229373] FAULT_INJECTION: forcing a failure. [ 333.229373] name failslab, interval 1, probability 0, space 0, times 1 [ 333.243763] CPU: 1 PID: 12711 Comm: syz-executor.0 Not tainted 5.0.0-rc1+ #9 [ 333.251008] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 333.260407] Call Trace: [ 333.263074] dump_stack+0x173/0x1d0 [ 333.266762] ? kmsan_get_shadow_origin_ptr+0x60/0x440 [ 333.271999] should_fail+0xa19/0xb20 [ 333.275786] __should_failslab+0x278/0x2a0 [ 333.280110] should_failslab+0x29/0x70 [ 333.284071] kmem_cache_alloc_trace+0x125/0xb40 [ 333.288810] ? binder_inc_ref_for_node+0x421/0x1d30 [ 333.293906] binder_inc_ref_for_node+0x421/0x1d30 [ 333.298857] ? kmsan_get_shadow_origin_ptr+0x60/0x440 [ 333.304112] binder_ioctl_write_read+0x18c2/0x1a560 [ 333.309280] ? kmsan_get_shadow_origin_ptr+0x60/0x440 [ 333.314577] ? binder_poll+0xbd0/0xbd0 [ 333.318507] ? kmsan_get_shadow_origin_ptr+0x60/0x440 [ 333.323757] binder_ioctl+0x759/0x2d20 [ 333.327709] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 333.333128] ? binder_poll+0xbd0/0xbd0 [ 333.337069] ? kmsan_get_shadow_origin_ptr+0x60/0x440 [ 333.342302] ? binder_poll+0xbd0/0xbd0 [ 333.346243] do_vfs_ioctl+0xebd/0x2bf0 [ 333.350201] ? security_file_ioctl+0x92/0x200 [ 333.354765] __se_sys_ioctl+0x1da/0x270 [ 333.358799] __x64_sys_ioctl+0x4a/0x70 [ 333.362740] do_syscall_64+0xbc/0xf0 [ 333.366525] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 333.371749] RIP: 0033:0x457e29 [ 333.374998] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 333.393937] RSP: 002b:00007fa415f85c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 333.401727] RAX: ffffffffffffffda RBX: 00007fa415f85c90 RCX: 0000000000457e29 [ 333.409077] RDX: 00000000200005c0 RSI: 00000000c0306201 RDI: 0000000000000004 [ 333.416382] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 333.423698] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa415f866d4 [ 333.431004] R13: 00000000004bf15a R14: 00000000004d0b00 R15: 0000000000000007 [ 333.438562] binder: 12708:12711 Acquire 1 refcount change on invalid ref 0 ret -22 [ 333.446404] binder: 12708:12711 got transaction to context manager from process owning it [ 333.454874] binder: 12708:12711 transaction failed 29201/-22, size 0-0 line 2887 00:58:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:03 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 333.604482] binder: release 12708:12711 transaction 501 out, still active [ 333.611456] binder: unexpected work type, 4, not freed [ 333.616977] binder: undelivered TRANSACTION_COMPLETE [ 333.656939] binder: BINDER_SET_CONTEXT_MGR already set [ 333.662513] binder: 12721:12722 ioctl 40046207 0 returned -16 [ 333.701234] binder: release 12721:12722 transaction 505 out, still active [ 333.709174] binder: unexpected work type, 4, not freed [ 333.714537] binder: undelivered TRANSACTION_COMPLETE 00:58:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:03 executing program 4: r0 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x1, 0x1) write$binfmt_elf64(r0, &(0x7f00000000c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40}, [{}]}, 0x78) ioctl$int_in(r0, 0x800020c0045002, &(0x7f0000000080)=0x10001) ioctl$int_in(r0, 0x5452, &(0x7f0000000040)=0x70) [ 333.926699] binder: release 12726:12727 transaction 508 out, still active [ 333.933889] binder: unexpected work type, 4, not freed [ 333.939199] binder: undelivered TRANSACTION_COMPLETE [ 334.037982] binder: undelivered TRANSACTION_ERROR: 29201 [ 334.043660] binder: send failed reply for transaction 501, target dead [ 334.050384] binder: send failed reply for transaction 505, target dead [ 334.057213] binder: send failed reply for transaction 508, target dead 00:58:04 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000140)="0adc1f023c123f3188a070") r1 = socket$inet(0x10, 0x3, 0xc) setsockopt$inet_int(r1, 0x0, 0x0, &(0x7f0000000100)=0x100, 0x4) r2 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000180)='/dev/dlm-control\x00', 0x101000, 0x0) setsockopt$SO_VM_SOCKETS_CONNECT_TIMEOUT(r2, 0x28, 0x6, &(0x7f00000001c0)={0x0, 0x7530}, 0x10) sendmsg(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)="24000000060607031dfffd946fa2830020200a0009000200001d85680c1baba20400ff7e28000000110affffba010000000009b356da5a80d18be34c8546c8243929db2406b20cd37ed01cc0", 0x4c}], 0x1}, 0x0) ioctl$VIDIOC_DBG_G_REGISTER(r2, 0xc0385650, &(0x7f0000000200)={{0x7, @name="a6de03daf135e3e4dfa95ed6f6a654ac675cf3e92f6dbf4fd53952086333989a"}, 0x8, 0x30, 0x1}) 00:58:04 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) 00:58:04 executing program 0 (fault-call:7 fault-nth:1): r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:04 executing program 3: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:04 executing program 4: r0 = syz_open_dev$sndseq(&(0x7f0000000180)='/dev/snd/seq\x00', 0x0, 0x0) read(r0, &(0x7f0000000040)=""/28, 0xfe91) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f0000000080)={0x200000000bf, @time}) ioctl$SNDRV_SEQ_IOCTL_SET_PORT_INFO(r0, 0x40a85323, &(0x7f0000000300)={{}, 'port0\x00'}) ioctl$SNDRV_SEQ_IOCTL_CLIENT_ID(r0, 0x80045301, 0x0) r1 = gettid() timer_create(0x0, &(0x7f00000002c0)={0x0, 0x12}, &(0x7f00000001c0)) r2 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x34, 0x8080) getresuid(&(0x7f0000000100), &(0x7f0000000140)=0x0, &(0x7f0000000200)) fstat(r0, &(0x7f00000003c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f0000000280), &(0x7f0000000440), &(0x7f0000000480)=0x0) r6 = getgid() r7 = getuid() getresgid(&(0x7f00000004c0), &(0x7f0000000500), &(0x7f0000000540)=0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000580)={{{@in=@empty, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@empty}}, &(0x7f0000000680)=0xe8) r10 = getgid() lstat(&(0x7f00000006c0)='./file0\x00', &(0x7f0000000700)={0x0, 0x0, 0x0, 0x0, 0x0}) getgroups(0x7, &(0x7f0000000780)=[0xee01, 0xee01, 0xffffffffffffffff, 0xffffffffffffffff, 0xee01, 0xee01, 0xffffffffffffffff]) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f00000007c0)={{{@in6=@local, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast2}}}, &(0x7f00000008c0)=0xe8) getresgid(&(0x7f0000000900), &(0x7f0000000940)=0x0, &(0x7f0000000980)) write$FUSE_DIRENTPLUS(r2, &(0x7f00000009c0)={0x3f0, 0xfffffffffffffffe, 0x1, [{{0x4, 0x0, 0x0, 0xa89, 0x0, 0x4, {0x2, 0x7, 0x1, 0x2, 0x3, 0x80000001, 0x7fff, 0xffffffff, 0x0, 0x5, 0x77dd, r3, r4, 0x7ff, 0x749}}, {0x6, 0x100000000, 0xa, 0x4, ']%md5sumlo'}}, {{0x1, 0x1, 0xffff, 0x8c5a, 0x1d64, 0x1000, {0x3, 0x81, 0x1ff, 0x7f, 0x39, 0x56b, 0x2ae, 0x2, 0xa914, 0x26d, 0x2, r5, r6, 0x8b1, 0x9}}, {0x4, 0x2, 0xd, 0x800, '/dev/snd/seq\x00'}}, {{0x6, 0x2, 0x0, 0x8000, 0x44a8be, 0x7, {0x6, 0x5, 0xffffffffffff67d4, 0x3, 0x4, 0x6, 0x401, 0xfff, 0x6, 0x2, 0xf46, r7, r8, 0xff, 0x2}}, {0x0, 0xaf7, 0x14, 0x9, 'cpuset-{&em1}system/'}}, {{0x1, 0x3, 0x80d, 0x4, 0x100, 0x200, {0x1, 0x10001, 0xfffffffffffffc00, 0x0, 0x100000001, 0x100000000, 0x3, 0xfffffffffffffff7, 0x7fff, 0xfffffffffffffffa, 0x0, r9, r10, 0x8, 0x8}}, {0x4, 0x400, 0x0, 0xcec}}, {{0x6, 0x1, 0x2, 0x8, 0xfffffffffffffffa, 0x2, {0x5, 0x0, 0x9, 0x0, 0xffffffff80000001, 0x10001, 0x81, 0x100000000, 0x7ff, 0xb3, 0x4, r11, r12, 0x80000000, 0x1}}, {0x1, 0x770, 0x6, 0x9, 'port0\x00'}}, {{0x4, 0x2, 0x10001, 0xffffffffffffffff, 0x80000001, 0x100000000, {0x1, 0x4, 0x6, 0x3ac9, 0x8, 0x5, 0x8, 0x8, 0x903c, 0xe67f, 0x2, r13, r14, 0x7b4, 0x7}}, {0x5, 0x8, 0xd, 0x4, '-selinuxnodev'}}]}, 0x3f0) timer_settime(0x0, 0x0, &(0x7f0000000240)={{}, {0x0, 0x1c9c380}}, 0x0) tkill(r1, 0x1000000000013) [ 334.408328] binder: 12739:12740 got transaction to context manager from process owning it [ 334.417177] binder: 12739:12740 transaction failed 29201/-22, size 0-0 line 2887 00:58:04 executing program 3: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 334.466142] binder: release 12739:12740 transaction 512 out, still active [ 334.473339] binder: unexpected work type, 4, not freed [ 334.478631] binder: undelivered TRANSACTION_COMPLETE [ 334.488273] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. 00:58:04 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = openat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x100, 0x104) ioctl$VIDIOC_S_FREQUENCY(r2, 0x402c5639, &(0x7f0000000080)={0x2, 0x4, 0x10001}) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x80008000000009, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:04 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) [ 334.576318] binder: undelivered TRANSACTION_ERROR: 29201 [ 334.582571] binder: send failed reply for transaction 512, target dead [ 334.590915] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. 00:58:04 executing program 2: r0 = socket$inet6(0xa, 0x40000080806, 0x0) bind$inet6(r0, &(0x7f000047b000)={0xa, 0x4e20}, 0x1c) listen(r0, 0x20000000) connect$inet6(0xffffffffffffffff, &(0x7f0000419000)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) r1 = accept4(r0, 0x0, 0x0, 0x0) getitimer(0x2, &(0x7f0000000040)) setsockopt$inet6_int(r1, 0x29, 0x40000000031, &(0x7f0000000000)=0x20100080000001f, 0x4) sendmmsg(r1, &(0x7f0000003d40)=[{{&(0x7f0000001b00)=@l2, 0x80, &(0x7f0000001d00), 0x0, &(0x7f0000001d40)}}, {{&(0x7f0000002300)=@nl, 0x80, &(0x7f0000003740), 0x0, &(0x7f00000037c0)}}], 0x4000000000001eb, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000640)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) [ 334.748474] binder: 12759:12760 got transaction to context manager from process owning it 00:58:04 executing program 3: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 334.814949] binder: BINDER_SET_CONTEXT_MGR already set [ 334.820284] binder: 12759:12760 ioctl 40046207 0 returned -16 00:58:05 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) [ 334.898754] binder_alloc: 12759: binder_alloc_buf, no vma [ 334.903471] binder_send_failed_reply: 6 callbacks suppressed [ 334.903491] binder: send failed reply for transaction 518 to 12759:12760 [ 334.917337] binder: undelivered TRANSACTION_COMPLETE 00:58:05 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="00634040000000000000e1f32607da6b94473f000000000000000000000000000000180000000000db09f487bbfa6bab8eca5cb704d503f4894ec5ff5b9d2bf32c6abd9e5820f39ecf75005ccab8d8ee9d024402f847f6b5ab7e2792be2fcac016e8b693e23f35fe972057b7db00c377f38d53799b6b435a29a669eb08cbf1c3e443ba5d08ce9adbea0c475a838a32564bf37d2dfc6172bf457973ac23b133bbf09a7771dce6f18b61d0c3d5325bc71ab993e1bf55b5b59288b1f866b5938e9ac4905c81f95353496974639f7f1844af4b7a35dd2dd490bce0e6a9e512939640d0b07ba1e32dd8c3185692804549f068bf7443aaf1c5", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) syz_open_dev$cec(&(0x7f0000000040)='/dev/cec#\x00', 0x3, 0x2) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) syz_open_dev$binder(&(0x7f0000000080)='/dev/binder#\x00', 0x0, 0x2) 00:58:05 executing program 2: migrate_pages(0x0, 0x0, 0x0, &(0x7f0000000040)=0x5) r0 = accept4(0xffffffffffffffff, 0x0, &(0x7f0000000000), 0x80000) getsockopt$netlink(r0, 0x10e, 0x8, &(0x7f0000000080)=""/239, &(0x7f0000000180)=0xef) 00:58:05 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) 00:58:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 335.213011] binder: 12777:12778 got transaction to context manager from process owning it 00:58:05 executing program 2: socket$inet6(0xa, 0x2, 0x0) 00:58:05 executing program 4: r0 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x0, 0x0) r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0xb4201, 0x0) ioctl$sock_inet_udp_SIOCINQ(r1, 0x541b, &(0x7f00000000c0)) unshare(0x24020400) ioctl$EVIOCREVOKE(r0, 0x40044591, &(0x7f0000000040)) [ 335.415198] binder: 12790:12791 ioctl c0306201 0 returned -14 00:58:05 executing program 0: r0 = syz_open_dev$sndpcmc(&(0x7f0000000040)='/dev/snd/pcmC#D#c\x00', 0x35f04191, 0xf403c3b2afa47fbb) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000680)=@filter={'filter\x00', 0xe, 0x4, 0x3c8, 0x0, 0x118, 0x118, 0x0, 0x208, 0x2f8, 0x2f8, 0x2f8, 0x2f8, 0x2f8, 0x4, &(0x7f0000000080), {[{{@uncond, 0x0, 0xf0, 0x118, 0x0, {}, [@common=@ipv6header={0x28, 'ipv6header\x00', 0x0, {0xc8, 0x6}}]}, @REJECT={0x28, 'REJECT\x00'}}, {{@uncond, 0x0, 0xc8, 0xf0}, @REJECT={0x28, 'REJECT\x00', 0x0, {0x7}}}, {{@uncond, 0x0, 0xc8, 0xf0}, @common=@inet=@TCPMSS={0x28, 'TCPMSS\x00', 0x0, {0x656ae607}}}], {{[], 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x428) r1 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:05 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 335.643488] binder: 12798:12801 got transaction to context manager from process owning it 00:58:05 executing program 2: r0 = memfd_create(&(0x7f0000000040)='-vmnet0\',^]$\x00', 0x0) r1 = syz_open_dev$sndseq(&(0x7f0000000240)='/dev/snd/seq\x00', 0x0, 0x20000057d) r2 = dup2(r1, r0) ioctl$KVM_GET_PIT2(r2, 0x8070ae9f, &(0x7f00000000c0)) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r2, 0xc08c5332, &(0x7f0000000280)={0x0, 0x0, 0x0, 'queue1\x00'}) r3 = openat$ipvs(0xffffffffffffff9c, 0x0, 0x2, 0x0) ioctl$SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(r3, 0xc0045516, &(0x7f0000000080)=0xfffffffffffffffc) bind$pptp(r3, &(0x7f00000001c0)={0x18, 0x2, {0x2, @dev={0xac, 0x14, 0x14, 0x11}}}, 0x1e) write$P9_RLINK(r2, &(0x7f0000000000)={0x7}, 0x285) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r3, 0x4040534e, &(0x7f0000000140)={0x322, @time, 0xfffffffffffffffe, {}, 0x0, 0x200000000000000}) [ 335.693072] binder: 12803:12804 got transaction with invalid offset (0, min 0 max 0) or object. 00:58:05 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0xfffffffffffffffc) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/vs/sync_persist_mode\x00', 0x2, 0x0) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r3, 0x6, 0x16, &(0x7f0000000080)=[@sack_perm, @mss={0x2, 0x4}, @window={0x3, 0x8, 0x64}, @window={0x3, 0xff, 0x1000}], 0x4) prctl$PR_SET_TIMERSLACK(0x1d, 0x2) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB="056304400000000000634040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001187f9a0e8b0320e5b273c009abeddda8ff7c547e5a99b08006e26365bf645e9eb268b9d6bed9d8265052f85e580a45aff91cb00adfde53d917992ed9dcd998d35c5acad83cd7227a272c1deddba563d4a303d2fe152266562ec0de1aaaadaae2a722718361bee9a1bba4c5eea2cd9c4665848523cf13f76e802c3089fd95d37078b4fb44d1f9bcfcfc18206c339e876c8687bf9aff3309455503e2edde41b9a96c9306d70080ff9b92151e9f03ddee49c15015ee790e35afcc0d442cedf1c3c52ca51310d9f4b092832aec720e3312a945a8c7ebe7807918a93dfe792447120562d5cf67236694f88cad5a607810aea3275245246fef02e2a0ddb1a4d9d5bb035ede56ccb5bd4c59123da047ce340bc5fb84a27fad2ead23d65c1f7e0c61644eb500d5b1d6313c99fdeac289a6cb60df45869c8c3cfdee11afa95efa785"], 0x0, 0x0, 0x0}) [ 335.787900] binder: 12806:12807 ioctl c0306201 0 returned -14 [ 335.814455] binder: send failed reply for transaction 529 to 12798:12801 [ 335.830245] binder: undelivered TRANSACTION_COMPLETE 00:58:05 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:05 executing program 4: r0 = syz_open_dev$sndpcmc(&(0x7f0000000040)='/dev/snd/pcmC#D#c\x00', 0x35f04191, 0xf403c3b2afa47fbb) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000680)=@filter={'filter\x00', 0xe, 0x4, 0x3c8, 0x0, 0x118, 0x118, 0x0, 0x208, 0x2f8, 0x2f8, 0x2f8, 0x2f8, 0x2f8, 0x4, &(0x7f0000000080), {[{{@uncond, 0x0, 0xf0, 0x118, 0x0, {}, [@common=@ipv6header={0x28, 'ipv6header\x00', 0x0, {0xc8, 0x6}}]}, @REJECT={0x28, 'REJECT\x00'}}, {{@uncond, 0x0, 0xc8, 0xf0}, @REJECT={0x28, 'REJECT\x00', 0x0, {0x7}}}, {{@uncond, 0x0, 0xc8, 0xf0}, @common=@inet=@TCPMSS={0x28, 'TCPMSS\x00', 0x0, {0x656ae607}}}], {{[], 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x428) r1 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:06 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x802) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="0100ffffffffffff", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 336.048416] binder: 12819:12821 got transaction with invalid offset (0, min 0 max 0) or object. [ 336.057663] binder_transaction: 7 callbacks suppressed [ 336.057707] binder: 12819:12821 transaction failed 29201/-22, size 0-8 line 3097 [ 336.062378] binder: 12818:12820 got transaction to context manager from process owning it [ 336.079049] binder: 12818:12820 transaction failed 29201/-22, size 0-0 line 2887 00:58:06 executing program 2: r0 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer\x00', 0x80000, 0x0) ioctl$TIOCSWINSZ(r0, 0x5414, &(0x7f0000000200)={0xaf05, 0x9, 0x7f, 0x1ff}) r1 = socket$inet6_sctp(0xa, 0x10000000005, 0x84) getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(0xffffffffffffffff, 0x6, 0x23, &(0x7f0000000140)={&(0x7f0000ffa000/0x3000)=nil, 0x3000}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX(r1, 0x84, 0x6e, &(0x7f0000961fe4)=[@in={0x2, 0x0, @dev}], 0x10) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r1, 0x84, 0x1d, &(0x7f000095dff8)=ANY=[@ANYBLOB="01a70000", @ANYRES32=0x0], &(0x7f000095dffc)=0x8) r3 = socket(0xa, 0x1, 0x0) getsockopt$inet_sctp6_SCTP_GET_LOCAL_ADDRS(r1, 0x84, 0x7b, &(0x7f0000000040)={r2}, &(0x7f0000000100)=0x8) socketpair$unix(0x1, 0x4000000005, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$inet6_IPV6_IPSEC_POLICY(r3, 0x29, 0x22, &(0x7f0000000300)={{{@in=@loopback, @in=@multicast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in6=@empty}}, &(0x7f0000000400)=0xe8) getresuid(&(0x7f0000000440), &(0x7f0000000480)=0x0, &(0x7f00000004c0)) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffff9c, 0x0, 0x11, &(0x7f0000000500)={{{@in=@dev, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in=@empty}}, &(0x7f0000000600)=0xe8) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000640)={0x0, 0x0}, &(0x7f0000000680)=0xc) getresgid(&(0x7f00000006c0), &(0x7f0000000700)=0x0, &(0x7f0000000740)) lsetxattr$system_posix_acl(&(0x7f0000000240)='./file0\x00', &(0x7f00000002c0)='system.posix_acl_default\x00', &(0x7f0000000780)={{}, {0x1, 0x4}, [{0x2, 0x7, r6}, {0x2, 0x4, r7}, {0x2, 0x7, r8}, {0x2, 0x2, r9}], {0x4, 0x6}, [{0x8, 0x2, r10}], {0x10, 0x4}, {0x20, 0x2}}, 0x4c, 0x1) ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0x400200) close(r3) getsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x7a, &(0x7f00000000c0)={r4}, &(0x7f00000001c0)=0x10) sendmmsg$inet_sctp(r3, &(0x7f0000000bc0)=[{&(0x7f0000000180)=@in={0x4}, 0x10, &(0x7f0000000140), 0x4, &(0x7f0000000000)=[@sndrcv={0x30, 0x84, 0x1, {0x0, 0x0, 0x7c}}], 0x30}], 0x1, 0x0) 00:58:06 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 336.254666] binder: BINDER_SET_CONTEXT_MGR already set [ 336.260156] binder: 12824:12828 ioctl 40046207 0 returned -16 [ 336.270934] binder: release 12818:12820 transaction 537 out, still active [ 336.271052] binder: 12825:12829 ioctl c0306201 0 returned -14 [ 336.278045] binder: unexpected work type, 4, not freed [ 336.278063] binder: undelivered TRANSACTION_COMPLETE [ 336.333176] binder: 12824:12831 got transaction with invalid offset (0, min 0 max 24) or object. [ 336.342383] binder: 12824:12831 transaction failed 29201/-22, size 24-8 line 3097 00:58:06 executing program 4: r0 = syz_open_dev$sndpcmc(&(0x7f0000000040)='/dev/snd/pcmC#D#c\x00', 0x35f04191, 0xf403c3b2afa47fbb) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000680)=@filter={'filter\x00', 0xe, 0x4, 0x3c8, 0x0, 0x118, 0x118, 0x0, 0x208, 0x2f8, 0x2f8, 0x2f8, 0x2f8, 0x2f8, 0x4, &(0x7f0000000080), {[{{@uncond, 0x0, 0xf0, 0x118, 0x0, {}, [@common=@ipv6header={0x28, 'ipv6header\x00', 0x0, {0xc8, 0x6}}]}, @REJECT={0x28, 'REJECT\x00'}}, {{@uncond, 0x0, 0xc8, 0xf0}, @REJECT={0x28, 'REJECT\x00', 0x0, {0x7}}}, {{@uncond, 0x0, 0xc8, 0xf0}, @common=@inet=@TCPMSS={0x28, 'TCPMSS\x00', 0x0, {0x656ae607}}}], {{[], 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x428) r1 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 336.408770] binder_release_work: 10 callbacks suppressed [ 336.408840] binder: undelivered TRANSACTION_ERROR: 29201 [ 336.420097] binder: send failed reply for transaction 537, target dead [ 336.426897] binder: send failed reply for transaction 545 to 12824:12828 [ 336.435863] binder: 12832:12835 transaction failed 29189/-22, size 0-8 line 2896 00:58:06 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 336.491281] binder: undelivered TRANSACTION_ERROR: 29189 [ 336.564528] binder: 12838:12839 got transaction to context manager from process owning it [ 336.573059] binder: 12838:12839 transaction failed 29201/-22, size 0-0 line 2887 [ 336.613833] binder: release 12838:12839 transaction 548 out, still active [ 336.620902] binder: unexpected work type, 4, not freed [ 336.626299] binder: undelivered TRANSACTION_COMPLETE 00:58:06 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) socket$can_raw(0x1d, 0x3, 0x1) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) r3 = socket$inet(0x2, 0xf, 0x2) getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x75, &(0x7f0000000480)={0x0, 0x9}, &(0x7f00000004c0)=0xfffffffffffffdcc) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(r3, 0x84, 0x73, &(0x7f0000000500)={r4, 0x81, 0x30, 0x2, 0x4}, &(0x7f0000000540)=0x18) r5 = syz_open_dev$sndpcmp(&(0x7f0000000040)='/dev/snd/pcmC#D#p\x00', 0xc3, 0x200000) setsockopt$bt_BT_FLUSHABLE(r5, 0x112, 0x8, &(0x7f0000000580)=0x6fe, 0x4) ioctl$VHOST_SET_MEM_TABLE(r5, 0x4008af03, &(0x7f0000000680)=ANY=[@ANYBLOB="02000000000010000000000000c9000000000000007318ced6c49f6fcb5fb4b76ef1b29b17069b527e8716cfbeae435d000000", @ANYPTR=&(0x7f0000000080)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB="00000000000000000030000000000000ca00000000000000", @ANYPTR=&(0x7f0000000380)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']) 00:58:06 executing program 2: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) times(&(0x7f0000000180)) r0 = syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0x2, 0x8000) ioctl$LOOP_SET_BLOCK_SIZE(r0, 0x4c09, 0x7) [ 336.658880] binder: undelivered TRANSACTION_COMPLETE [ 336.664222] binder: undelivered TRANSACTION_ERROR: 29189 [ 336.669794] binder: undelivered TRANSACTION_ERROR: 29201 00:58:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 336.735213] binder: 12841:12842 got transaction with invalid offset (0, min 0 max 0) or object. [ 336.745101] binder: 12841:12842 transaction failed 29201/-22, size 0-8 line 3097 [ 336.775450] binder: undelivered TRANSACTION_ERROR: 29201 [ 336.781084] binder: send failed reply for transaction 548, target dead 00:58:06 executing program 4: clone(0x41fc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = getpid() rt_tgsigqueueinfo(r0, r0, 0x16, &(0x7f0000000000)) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x2) ptrace(0x10, r0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0x5, 0x212e00) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(0xffffffffffffff9c, 0x84, 0x6, &(0x7f00000000c0)={0x0, @in={{0x2, 0x4e21, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, &(0x7f0000000180)=0x84) fcntl$F_SET_FILE_RW_HINT(r1, 0x40e, &(0x7f0000000380)=0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f0000000240)={r2, @in={{0x2, 0x4e23, @initdev={0xac, 0x1e, 0x0, 0x0}}}, [0x3, 0x174, 0x8000, 0x0, 0x7, 0x5, 0x4, 0xff, 0x1, 0x3, 0x9, 0x5, 0x6, 0x8, 0x15]}, &(0x7f0000000340)=0x100) ptrace$getsig(0x4201, r0, 0x0, &(0x7f00000001c0)) [ 336.872242] binder: 12846:12847 got transaction to context manager from process owning it [ 336.880704] binder: 12846:12847 transaction failed 29201/-22, size 0-0 line 2887 [ 336.899849] binder: undelivered TRANSACTION_ERROR: 29201 00:58:07 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) 00:58:07 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$IPT_SO_SET_ADD_COUNTERS(r0, 0x0, 0x13, 0xfffffffffffffffe, 0x176) r1 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/qat_adf_ctl\x00', 0x480001, 0x0) ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f0000000140)={r0, r1, 0x3f, 0xa4, &(0x7f0000000080)="a9a4ad9a88b288e453bcfa2c157d663c7503a4bc97e5376e841b7b1464585b0194ae84179e77f91caa698ed9cfc2a96563748962bc57c78afd48e1d08e4c63a2e8ae95aca135e1a4a042ce44c34b8b12bbc942b7b8f4fe6fe2dec9edd5e3fe6a71ca94a68e37a294a7616052cedf2a59c6a8a4586df8b1b3324504ca317340c70b310a10344e675e48a2df0840e49a2c44d6d57e2f7072df11d22fd77d3054f4990a1c5f", 0x2, 0x200, 0x8001, 0x3, 0x81, 0x3, 0xa2b, 'syz0\x00'}) ioctl$PPPIOCNEWUNIT(r1, 0xc004743e, &(0x7f0000000040)) 00:58:07 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 337.062868] binder: undelivered TRANSACTION_ERROR: 29201 [ 337.068431] binder: send failed reply for transaction 555 to 12846:12847 [ 337.108293] binder: undelivered TRANSACTION_COMPLETE [ 337.113789] binder: undelivered TRANSACTION_ERROR: 29189 [ 337.175424] binder: 12863:12866 transaction failed 29189/-22, size 0-8 line 2896 [ 337.242910] binder: undelivered TRANSACTION_ERROR: 29189 [ 337.247900] binder: 12869:12870 got transaction to context manager from process owning it [ 337.256939] binder: 12869:12870 transaction failed 29201/-22, size 0-0 line 2887 00:58:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) 00:58:07 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:07 executing program 2: r0 = socket$inet(0x2b, 0x1, 0x0) r1 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x2, 0x2) bpf$BPF_GET_BTF_INFO(0xf, &(0x7f0000000200)={r1, 0x10, &(0x7f00000001c0)={&(0x7f0000000180)=""/25, 0x19, 0x0}}, 0x10) unlink(&(0x7f0000000140)='./file0\x00') bpf$BPF_GET_BTF_INFO(0xf, &(0x7f0000000280)={r1, 0x10, &(0x7f0000000240)={&(0x7f0000000140), 0x0, r2}}, 0x10) bpf$BPF_GET_BTF_INFO(0xf, &(0x7f0000000100)={r1, 0x10, &(0x7f00000000c0)={&(0x7f0000000040)=""/73, 0x49, 0xffffffffffffffff}}, 0x10) r3 = dup2(r0, r0) bind$packet(r3, &(0x7f0000000340)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @link_local}, 0x14) [ 337.502564] binder: 12877:12879 got transaction with invalid offset (0, min 0 max 0) or object. [ 337.511551] binder: 12877:12879 transaction failed 29201/-22, size 0-8 line 3097 00:58:07 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$sndpcmc(&(0x7f0000000040)='/dev/snd/pcmC#D#c\x00', 0x80, 0x501880) getsockopt$sock_cred(0xffffffffffffff9c, 0x1, 0x11, &(0x7f0000000080)={0x0}, &(0x7f00000000c0)=0xc) mq_notify(r2, &(0x7f0000000100)={0x0, 0x28, 0x0, @tid=r3}) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) setsockopt$kcm_KCM_RECV_DISABLE(r2, 0x119, 0x1, &(0x7f0000000140), 0x4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="0563044000000000006340400000000000000000000000000000000000000000000000000000000000000000000000000000000000009b000000000000000000000000004a4700000000000000f0faac76776f"], 0x0, 0x0, 0x0}) [ 337.553322] binder: undelivered TRANSACTION_ERROR: 29201 [ 337.558904] binder: send failed reply for transaction 562 to 12869:12870 [ 337.571655] binder: undelivered TRANSACTION_COMPLETE 00:58:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) 00:58:07 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x0, 0x0) r1 = dup(r0) write$P9_RREADLINK(r1, &(0x7f0000000000)={0x10, 0x17, 0x2, {0x7, './file0'}}, 0x10) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f00001e6000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x800002, 0x4002011, r3, 0x0) ioctl$EXT4_IOC_GROUP_ADD(0xffffffffffffffff, 0x40286608, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:07 executing program 5: r0 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x0, 0x2) r1 = syz_genetlink_get_family_id$tipc(&(0x7f0000000080)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r0, &(0x7f0000000140)={&(0x7f0000000040), 0xc, &(0x7f0000000100)={&(0x7f00000000c0)={0x24, r1, 0x102, 0x70bd26, 0x25dfdbfe, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x8}}, [""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000000}, 0x4000) ioctl$KDSETLED(r0, 0x4b32, 0x401) sendmsg$TIPC_CMD_GET_MEDIA_NAMES(r0, &(0x7f0000000240)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000000200)={&(0x7f00000001c0)={0x1c, r1, 0x604, 0x70bd2c, 0x25dfdbfb, {}, ["", "", "", "", "", "", "", "", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x4000000}, 0x8050) r2 = semget$private(0x0, 0x1, 0x10) semctl$IPC_INFO(r2, 0x2, 0x3, &(0x7f0000000280)=""/4096) r3 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000001280)='/dev/vga_arbiter\x00', 0x400800, 0x0) ioctl$KVM_GET_PIT(r3, 0xc048ae65, &(0x7f00000012c0)) syz_genetlink_get_family_id$tipc(&(0x7f0000001340)='TIPC\x00') r4 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$sock_inet_SIOCGIFBRDADDR(r0, 0x8919, &(0x7f0000001380)={'bcsh0\x00', {0x2, 0x4e23, @local}}) r5 = syz_genetlink_get_family_id$tipc(&(0x7f00000013c0)='TIPC\x00') setsockopt$packet_fanout_data(r3, 0x107, 0x16, &(0x7f0000001440)={0x2, &(0x7f0000001400)=[{0x2, 0x3, 0x83be}, {0x5, 0x3, 0x3}]}, 0x10) getsockopt$SO_BINDTODEVICE(r4, 0x1, 0x19, &(0x7f0000001480), 0x10) sendmsg$TIPC_CMD_SET_LINK_PRI(r3, &(0x7f00000015c0)={&(0x7f00000014c0)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000001580)={&(0x7f0000001500)={0x68, r5, 0x100, 0x70bd2c, 0x25dfdbfb, {{}, 0x0, 0x4108, 0x0, {0x4c, 0x18, {0x7, @media='eth\x00'}}}, ["", ""]}, 0x68}, 0x1, 0x0, 0x0, 0x4000000}, 0x20000000) r6 = syz_genetlink_get_family_id$tipc2(&(0x7f0000001640)='TIPCv2\x00') sendmsg$TIPC_NL_LINK_GET(r0, &(0x7f0000001900)={&(0x7f0000001600)={0x10, 0x0, 0x0, 0x100000}, 0xc, &(0x7f00000018c0)={&(0x7f0000001680)={0x20c, r6, 0x221, 0x70bd2b, 0x25dfdbfd, {}, [@TIPC_NLA_LINK={0x60, 0x4, [@TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_PROP={0x44, 0x7, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xbbc}, @TIPC_NLA_PROP_PRIO={0x8}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x4}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7fff}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x34c}]}]}, @TIPC_NLA_NODE={0x10, 0x6, [@TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x9554}]}, @TIPC_NLA_NODE={0x3c, 0x6, [@TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x3}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0xfffffffffffffbff}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x55d0}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x3ff}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x3}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x1}]}, @TIPC_NLA_BEARER={0x30, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @broadcast}}, {0x14, 0x2, @in={0x2, 0x4e24, @initdev={0xac, 0x1e, 0x1, 0x0}}}}}]}, @TIPC_NLA_SOCK={0xc, 0x2, [@TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0xb0}]}, @TIPC_NLA_NET={0x1c, 0x7, [@TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x6}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x2}]}, @TIPC_NLA_LINK={0x18, 0x4, [@TIPC_NLA_LINK_PROP={0x14, 0x7, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7d}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4}]}]}, @TIPC_NLA_MON={0x34, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x4}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x4}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x4}, @TIPC_NLA_MON_REF={0x8, 0x2, 0xda00000000}, @TIPC_NLA_MON_REF={0x8, 0x2, 0xffff}, @TIPC_NLA_MON_REF={0x8, 0x2, 0xe744}]}, @TIPC_NLA_MEDIA={0x94, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x3c, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3abc9674}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x20}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x10000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_WIN={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}, @TIPC_NLA_MEDIA_PROP={0x4c, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x401}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffffffffffff7}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1e}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x116460000000}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x1000}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xffffffff}]}]}, @TIPC_NLA_MON={0x14, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0xfffffffffffffff9}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}]}]}, 0x20c}, 0x1, 0x0, 0x0, 0x4000800}, 0x20008000) getsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f0000001940)={{{@in=@initdev}}, {{@in6=@local}, 0x0, @in6=@empty}}, &(0x7f0000001a40)=0xe8) epoll_ctl$EPOLL_CTL_DEL(r0, 0x2, r0) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT(r3, 0x404c534a, &(0x7f0000001a80)={0x1ff, 0x2, 0x3}) r7 = syz_genetlink_get_family_id$nbd(&(0x7f0000001b40)='nbd\x00') sendmsg$NBD_CMD_DISCONNECT(r3, &(0x7f0000001c00)={&(0x7f0000001b00)={0x10, 0x0, 0x0, 0x10000100}, 0xc, &(0x7f0000001bc0)={&(0x7f0000001b80)={0x30, r7, 0x8, 0x70bd26, 0x25dfdbfd, {}, [@NBD_ATTR_INDEX={0x8, 0x1, 0x0}, @NBD_ATTR_INDEX={0x8, 0x1, 0x0}, @NBD_ATTR_BLOCK_SIZE_BYTES={0xc, 0x3, 0x1}]}, 0x30}, 0x1, 0x0, 0x0, 0x20000000}, 0x0) prctl$PR_SET_UNALIGN(0x6, 0x1) write$FUSE_BMAP(r3, &(0x7f0000001c40)={0x18, 0x0, 0x1, {0x2}}, 0x18) signalfd4(r4, &(0x7f0000001c80)={0x10001}, 0x8, 0x80000) ioctl$KVM_IRQFD(r3, 0x4020ae76, &(0x7f0000001cc0)={r0, 0x4, 0x0, r3}) r8 = syz_open_dev$sndpcmp(&(0x7f0000001d00)='/dev/snd/pcmC#D#p\x00', 0xffffffff, 0x80) ioctl$DRM_IOCTL_AGP_ALLOC(r8, 0xc0206434, &(0x7f0000001d40)={0x800, 0x0, 0x0, 0x1}) ioctl$EVIOCGMASK(r3, 0x80104592, &(0x7f0000002d80)={0x0, 0x1000, &(0x7f0000001d80)="7118851d2a32c306e0f7eae318001e7901985d43e7cca4a0f868091a77757ebc74f72ce9cf34a1b1261817fa110cb63ba8c77de84f1d1c124b067b094c8c75a57b72b81192bb781178fd6a6953daae76926139b8e5ac02c7af1e1d082e717374b80fe4cf78ce808af0f2b426ba86d19959d760d25b7a1e8b9dae34048a54c988e7c7d50c60c4fdae630853d7a167230020b4c3a94088b174574ab426d9621d056284303cb2c9bfc550e858a2090d128103a59bf730b0550e36ba3c8a6425ae294e251fda424a7b89a23794e6410bfc8c23413768cb2e43c947022cf012ef9592edc7a362d558fa9eef887eb5154411359ac94c8f14197f2c1c08063107a1a11be39fb054863146bbcca2a5047ea8528fc81b8bd0fc166963fe60f7948b8c23b5cd3b6e633e453a41efa4832930acf152a8a037cb1ea13cc9d947f150255c6881189b57e9529912dec936d2374b1565b88d6a0fca9994fa7df1fee2606f20c1db80e557a1e49959322064f5418d3bf94d2b90f546de1f5d6ff7bfe94cba4a1466b597b3eb17fba3b6d4ef2fd557f778d5ce89052dd64280687c3736d417ce4ff82ecbd01c7eee2d0d0f44adacc4f1271f15b6557b8edb92c6401a01a871b57bbae86ef72e93de27f70a13ba7fe9187bb0c84652d5685c59c2f8c6d39394e3e8e3e463b051ddf26046994d409c7e4e4d4c71821c113190ee7e89f04f48723997fe9dcd91b4a64360bfe513bf520fba8edb4c1f8cb6e5f3a21b7e14aaa2faf19fb65ae2a21ee5cc8aa261bb372d1c39e075d51c943b068bdbbec9ef839c28824f2000ed3aad17c0713226a20082591d753a38ef870789a61b0ef09288a9361fcbd7d113873afd5d9bdb74dce2fa618d99c274de293f6e8939519a297e6db70cf86e44577ac47b7fd083870fb9fa597186bc2d32800209340deebc50f87b62cd9cf447879a98e94f54f866e6a08aafc644e1596783b6c881b6dc2b2c4cdc1e3766df2efa85ce4a0f6682b8f541bc2f424ed591494053a9b26ac5a53f1845d4b2a162779d52b299660abdca4c9d75fab7e30898a80cf1d98e66b7904d7319fe9c54b0d1a2becfdaf1563e66e292585685bb9aa439c4c265fb519679229d2378bde3dd006cf9cf01617c445212fbecaef67dc3f7924b6d4d2896d2a48eab4a1db1cbcd3c787f6a93012aca4647a498e139b7eae94d7c4ec697ed8d3a2dd40823fb3859dae9430e38cf61e7b09597075189af94f35de4845066c09a3b6b706d87854366fee3416784a8cb29f61e53af19a85ea10f7c239865b849a9ca785fdf56c1f29e57851cd29c1c12d6258f884391c886295e5751342de4cc46f748470faa70a1c5c6b109685022b3d641216eda1818849170244163eda77e5e42a142fc0743a9036d4434584e4c683fb4d415703c4d876fec7dcb29f41ace86f40120b44449b011d369c48bdf069c76fb3efa370b25bb6a66261d4dab6cb79659688a030ed23fa3089c6857a08cf25caa34a2863cf36dac235341622b5b23750a25a590cf96da6226a7e32860ad6e2f1fe52a2a986bfe3c505989b0fb827fb4ba969017d2783854b77a0222922656d2a0fa7fe3c3b2d6857867a02901daeae0fc5a3791f8f13f0a77957cc951da09215572998da667fa1883931f48f35f6794187abb7b3169c95e8e49293b59d7ea704ccafab9fcccfc2b8dde8ca579b72a0369ad38bf635c9f583de6914f92c9bf4022d943a89d443316a3f0f077f18a744e00c08f25e61087c9e9eae8bce3bd2a056dfb9c9b6d8dffd736ed473e8c5c3a258fac50773dd941cff68615b5784813356d958bcf7b882a0978571f8d0d96e3c8a2481a196e7105ea65ecf5675c11ef6f8b9b24ba465ca7d1ed49ef110a0a51979bc2797638dd56e54a7505dbc83518eec1a89aa047b29f720b3398bdb7c765fe7d92ff28c6ed1bcfdf0f2964a151c1e6964defe69d8e13dd8e7b3c671ee3bdcff43e1ef8a1a78fd7f17236a28b7e1f3df2f746e68875b4369cc203c9f1e7acaeb001bcb63e7235369002fdb3491d2aaedbbd129cb5e853b2ac0b97f0d24664259d21d31eb43525d714d1ecc475db9edb9800b48a4813f092b5216ae2b65264faac9247ca2de0ab31fae557741fbcb36a6d5370a8ce44b296460c834e742c67f57ecddbf25d5f2c575c52c0e35a9f325fb417f0e140c303a02648bb429a458e0b7db4a536401c4ef1bb81bf70afc06c25e911223232f303750ea64fe20fdb6f3111ce972bfdef5f151622a23e5d7249066cb032b5c3c04d4262159ffaf697bc0defe25ddeeaf8c472dbd0bf78c3543d613c78c90a4e825882f6fc5cd4d158e81a4e2150fdb8dc321c79f6d3ddf4103f670396c45beb0f53b22a33d461fdaef329629887167c62d8dbdd7fea63775f17cb93da2c55223daf85901ab3f935c9d1e5446cd4e514ed3d0a2dae2e2917281904201d0596d18abb9d3fb4faee9f60bb9a35d092ac7b871d672732eabbbdbf74b96d451fee3228f92ec4192d4ad48750cce428cfa11197a340df7047dc265f9cb4c07986d8bf5a8aba36e8f8399a84a29c0dedd6533edf1b4087b8984d0c5985b1e5c05d427a7333f1e1abf9b0fa230f6de579360943babcec60f76232a03ae0dd2dad6904b9fdc796035d602f9a9797d9b2bc28708f059044c978cb184209cc29a27bb2d86714023dc9fb5dcc0ea71ce0aa5792387c536cbd6eeb64b9e6c0c874b573db975960ae1f656908dde746a8da2a7c0dfd3842f49d28300f9d97169db4d2fd39cfc81bd4e30f753da22bdd5e955e9303f3433d0d8e94b97e544bf6af68323353717428cacc866a164c0dd5f70e433e15a63d6062ad107656856cbe9dae927cb61a222fbdb9292afbdca36a6d24bb2afc5e60675f8a31c2cc7668ff352c89f7c4858a65494f4b776019238a843ad593973b0ee4329f8b23ad6d14385f3b9cc1771e672e72d161f19a4ea0705432442c8a8b2326a52dd63920196cad8e7cc15521044ef55002f8e446d75f082f5fab08a0c764e55523e8c340bacecdf74cf0a39e683492a6b68d85bb655dd1154ade47b2f2f5b606bdbf896b0d8d7bcd06f1cd89c52b7fc97b64bdce749456f2d9424d9ed887b976c44107a76550304c148b5d32d1be868557b3c82a053554238d972fdc23c78d8eb0b3ceee01f6683e9a0e279e51759bc0038bf18e50ad3311fe8983300c4ea64444c35a470b5c4d3cfba4079901b690138ce1e5d7543460e800461992337cfb0b9a39148e733bba3601fee87f1e9c10edefa4e4bc023f3ae479995eddd973c86f76fe79a178413c8fa457db2968c5c982715486124dcecfd3950c2e6ef3a5849699034cad580d142ac177631abdb31c546a470484f5a0bd7973a491f7339bf13530723fc16c36fcbdf0d831e05f22efa08b0ce0fcda3e7169043ac7f6dc474fd32d6f25d3c7bfe382fa0a3c8a2d6628a7e869b83965309de8b27f27d6cc7fe76b2a73c7f06fae75331f87ac5158d64e4f7922a13642fde80affd1b3cec1d64eca4ecf7ee06d0e027ec60849084438caca58ab119bfca81349e8f2a1601aa4e2592eeff0ab741075a8c771651a8a6dfdc5a9aecb372e5104286778b205d243aa2d3cbdf0826f6ad115bbfe80e95b4f51de1a1076b7ba509a50949501dbc35ca99f82a9233907f9efa217adecd051013e94f6e115c6ae4d394ad2e36c8167c9287792e8ab0b7e0b6c7d6511c2499122633ec0c4ff2850c27b38e5eb73c27b2412a6862c147aecf4d6ea036b69168199e54181a8d358e4f7bb369383706cee44558e2bafba4e11139ead06c6b2e65d0bb921341f0a7373371415c72795c7ae530b567e2189d1a613bf19aa08a12c24c2d0ea640eb99e5077ded4de282774b53e2b72373c625b050ff535faa2701b02547c0558d48ae43e3e234c5c0ebb3cfdfa3e8789e1171e297775193bb57b668b996e5ebdecbe6440cb024feb14103da143e3c106b15630885f9d19b3c5aa83c358c901e004e7f5b8c48e5eaceadaa3b1e8dd0292e9fe77ae238f355ebc3352515e1cac2b743773e63b0aee2c9adef81ef845825750282022fc8a35efda7d6e37f7ddb45877c0ff40dff46cc47fa4f6c58c2dfd78d45372640bf87d37cd6b925e8c12014b6be916ba26d94f83614942894a095c40fb494b9a20865f8d6eadd932b8c6c7e3b1c1071ce0e733b93534a58ce2a1532481cc62818861d58d2b41527acaa8759e82a57e72638d32be3b00d5c716f7005da3cf25d54c34cead10098796a5deb77e18393d9a7778f96fc2994c635227aa747da752a421c11e579899e8a226a227f0411b7d4ec6602898638c48e5730598d184dc2d13b6fe22d697666914f0925ce3a8e8982e70699deb66936c59122318d15fe55404ba425467f6f21fdb7bb236aea385fb20c16c7827ff1c4df734b84a9c1b20ab845be3d15f91b568651cbdef30228857722724f1ada1df4fb2e225197148fa2f6a12f4af6a4468ff45176b480eee8c0dc3fe5b8d1239a92eef072b94ab6fa4f00faac9f0fd70319a43c7deff3d55c1f898d46b5942faf015a25a2f59af8ebd4012895e4c457c7ec5c8ef20611824aa1c24fdc047c101edbd778d712ea2b2fd9273484e909e2751826ead5879a830fcb31c9083c7521d7df8cbec330a6638664a5138247fc021a9f6581d735cc97ef11b89b8378845ed60473bae7d21487a13c1900ee00a31398fb10ab65e69a68a232ca4f18bdd4bfe0c1ba73f62ca994603eea723a5643f5b8295c0d6187bec5c44239327079f632232f0191a033c17c5c1ae7396dba72ea266a8e7659276365a80607687abcfe670cf56ac49ddc4a1865310b61041d7b75825a3a87be4061e593eb2f3f971a19a45e81ae82319fd310c663a305234ba49468cfb8d0bb45708e2e38b2b1a98f68bdb695093894a354f6576e4f423095a33c068280d800f88d16f8efe1f07f523cce9724352f6ed98366b960f281d7af8152d934c49898fbd998bc9b8b94d98d1f1e769dbcc77099874f27b97d4a3ef113500f6b0b091b316bc273f832b386bddb4f4c635d9fa7198dd95e173a3eb8ec5b48640da11e3231ba4eef986251d419e45320f57c702b7bb0d76b0f879d9c038ee5485a3c085f6e1e2d3839d65201c1427d8a8e6e7e7818df993aee84555465f38fc0bd516bc42f37d32421075d3be730bbaeb4c1bedfe64fb1388941675aa81674cd9e3473ea5c16c891f818020ad2c3e4ac47fb6cc93b56603ad426d364ed8978d64c4959b59c7a1b60786fc9dca5bba6693832f46565173288e67e60fecf8884044cf6c51797b58d7bce80c1814b6fc130f1a0a329981d0cb9ef81014b7606835e9b75abd3efb87c378590e84aa8d31be5c8354751d3a2c3e7bd962833e96422382ada3aa7646ee36ea146b40fc320b2515990ae0eb62a57967520c8a85b15a32ba8e24fa5c89bc88b20570643350c6a144b7688311c6cea2816ccf73aedfc697b47d041f7b60eb0a2acd88fca112566c4c518ff4905d1a491ed5d58a9fdd36d0cf00035b444a0ceaae38a17cde8b4c9843468394de8a6d91f4d31f56def0ad9a6bf5027a57a4ef1e402d85a253f58073688123aa093f077078c6a42684ec88c0e08555ce477f12aa26416a74d5b1fbc97d7ede98d7718c62657a1dd744f8fd210e7be9c2bc8dacf38905ef92ded2685797f0184a151a02abe873f84defcc0e21b7b896ef39b8da0f7e92f281b551a6504fd2da74ba6f07eefea9ac423ff4d4bebae98e09cc261c0fc9a7f3fa79c971ab731536ede0c6ab"}) 00:58:07 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$IP_VS_SO_GET_INFO(0xffffffffffffffff, 0x0, 0x481, 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000100)='/dev/full\x00', 0x0, 0x0) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) dup3(r0, r1, 0x0) ioctl$TIOCSPGRP(0xffffffffffffffff, 0x5410, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) getgroups(0x0, 0x0) setsockopt$inet_buf(r1, 0x0, 0x0, 0x0, 0x0) [ 337.798278] binder: 12892:12893 got transaction to context manager from process owning it 00:58:07 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:08 executing program 0: r0 = syz_open_dev$binder(&(0x7f00000003c0)='/dev/binder#\x00', 0x0, 0x800) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat(0xffffffffffffffff, &(0x7f0000000180)='./file0\x00', 0x80, 0x84) ioctl$KVM_SET_ONE_REG(r2, 0x4010aeac, &(0x7f0000000380)={0x9, 0x7}) r3 = openat$zero(0xffffffffffffff9c, &(0x7f0000000140)='/dev/zero\x00', 0x4020c0, 0x0) openat$apparmor_task_current(0xffffffffffffff9c, &(0x7f00000002c0)='/proc/self/attr/current\x00', 0x2, 0x0) ioctl$sock_SIOCBRADDBR(r3, 0x89a0, &(0x7f0000000280)='bcsf0\x00') socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) pipe2(&(0x7f0000000040)={0xffffffffffffffff}, 0x800) ioctl$VIDIOC_G_CROP(r5, 0xc014563b, &(0x7f0000000080)={0xf, {0x3f, 0x8, 0x65dd, 0x5}}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="056304400600000026634040000000000000000000000000000000000000499d07868b5e3d8000000000000300000000000000000000b917d174484f3148000015000000000015000000000000000000000000"], 0x0, 0x0, 0x0}) 00:58:08 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) [ 337.996375] binder: send failed reply for transaction 569 to 12892:12893 [ 338.032684] binder: undelivered TRANSACTION_COMPLETE 00:58:08 executing program 2: getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, 0x0, 0x0) getgroups(0x1, &(0x7f0000000180)=[0xee01]) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) epoll_pwait(0xffffffffffffffff, 0x0, 0x0, 0xffff, 0x0, 0x0) r0 = openat(0xffffffffffffff9c, &(0x7f0000000280)='./file0\x00', 0x20a041, 0x9) ioctl$PIO_CMAP(0xffffffffffffffff, 0x4b71, 0x0) ioctl$KDGKBENT(0xffffffffffffffff, 0x4b46, 0x0) getsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0x0) getsockopt$EBT_SO_GET_ENTRIES(0xffffffffffffffff, 0x0, 0x81, 0x0, 0x0) ioctl$TCSETS(0xffffffffffffffff, 0x5402, 0x0) getgroups(0x0, 0x0) syz_open_procfs$namespace(0x0, 0x0) openat$random(0xffffffffffffff9c, 0x0, 0x80500, 0x0) arch_prctl$ARCH_MAP_VDSO_32(0x2002, 0x0) write$binfmt_misc(r0, 0x0, 0x0) 00:58:08 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:08 executing program 4: syz_emit_ethernet(0x83, &(0x7f0000000340)={@local, @local, [], {@ipv6={0x86dd, {0x0, 0x6, "1bfc97", 0x4d, 0x88, 0x0, @dev, @mcast2, {[], @udp={0x0, 0x4e20, 0x4d, 0x0, [], "e29607149378d33e1db1c73936c77aa3f7fac33b042bd368236862531934ecb1c373d6ea51369e92fb96cc7c6fe4e24d1fcafff87429e50b32881721afab69cc3712c37ed0"}}}}}}, 0x0) [ 338.247029] binder: 12909:12911 Acquire 1 refcount change on invalid ref 6 ret -22 [ 338.254980] binder: 12909:12911 unknown command 1077961510 [ 338.260648] binder: 12909:12911 ioctl c0306201 200005c0 returned -22 00:58:08 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) [ 338.477841] binder: 12922:12923 got transaction with invalid offset (0, min 0 max 24) or object. 00:58:08 executing program 2: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f00000000c0)=0x100000000008005) perf_event_open(&(0x7f0000000100)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$PERF_EVENT_IOC_SET_OUTPUT(r0, 0x2405, 0xffffffffffffffff) 00:58:08 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000080)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f00000000c0)=ANY=[@ANYBLOB="8500000000e064f65316b8cc0000006f511d63044b7c94e95ceb13d8ae3a96d261fdaae816c644f6fae216d74efa1eca73edeaeb859f5f9de6935f7b5660503fc7a00f0c5012b964eaf886e0d53d82a1bd52f478178773f10137e7bed6b6ea659b8dc3d92e62b9c2f96af4459369d37f311727f340a7d43ed52132e3116f2d32907edf", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) r2 = syz_open_dev$mice(&(0x7f0000000180)='/dev/input/mice\x00', 0x0, 0x191000) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000280)='/dev/hwrng\x00', 0x101000, 0x0) linkat(r2, &(0x7f0000000200)='./file0\x00', r3, &(0x7f00000002c0)='./file0\x00', 0x1400) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) ioctl$FS_IOC_GETVERSION(r0, 0x80087601, &(0x7f0000000040)) [ 338.561892] binder: send failed reply for transaction 576 to 12909:12911 [ 338.582223] binder: undelivered TRANSACTION_COMPLETE 00:58:08 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 338.747132] binder: 12930:12931 got transaction with invalid offset (0, min 0 max 24) or object. [ 338.810168] binder: 12935:12937 got transaction with invalid offset (0, min 0 max 24) or object. [ 338.828168] binder: 12930:12931 got transaction to context manager from process owning it [ 338.855242] binder: 12930:12931 ioctl 80087601 20000040 returned -22 [ 339.019684] IPVS: ftp: loaded support on port[0] = 21 [ 339.130005] chnl_net:caif_netlink_parms(): no params data found [ 339.177146] bridge0: port 1(bridge_slave_0) entered blocking state [ 339.183593] bridge0: port 1(bridge_slave_0) entered disabled state [ 339.191094] device bridge_slave_0 entered promiscuous mode [ 339.199216] bridge0: port 2(bridge_slave_1) entered blocking state [ 339.205783] bridge0: port 2(bridge_slave_1) entered disabled state [ 339.214311] device bridge_slave_1 entered promiscuous mode [ 339.239249] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 339.250304] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 339.272977] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 339.280888] team0: Port device team_slave_0 added [ 339.287225] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 339.295215] team0: Port device team_slave_1 added [ 339.300969] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 339.309006] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 339.366490] device hsr_slave_0 entered promiscuous mode [ 339.402774] device hsr_slave_1 entered promiscuous mode [ 339.453524] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 339.460659] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 339.482169] bridge0: port 2(bridge_slave_1) entered blocking state [ 339.488649] bridge0: port 2(bridge_slave_1) entered forwarding state [ 339.495756] bridge0: port 1(bridge_slave_0) entered blocking state [ 339.502365] bridge0: port 1(bridge_slave_0) entered forwarding state [ 339.560819] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 339.567231] 8021q: adding VLAN 0 to HW filter on device bond0 [ 339.577449] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 339.588808] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 339.597473] bridge0: port 1(bridge_slave_0) entered disabled state [ 339.605115] bridge0: port 2(bridge_slave_1) entered disabled state [ 339.614259] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 339.630954] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 339.637211] 8021q: adding VLAN 0 to HW filter on device team0 [ 339.648244] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 339.656404] bridge0: port 1(bridge_slave_0) entered blocking state [ 339.662965] bridge0: port 1(bridge_slave_0) entered forwarding state [ 339.675486] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 339.684052] bridge0: port 2(bridge_slave_1) entered blocking state [ 339.690598] bridge0: port 2(bridge_slave_1) entered forwarding state [ 339.718096] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 339.730373] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 339.748610] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 339.768309] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 339.779425] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 339.790886] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 339.799893] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 339.808412] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 339.817614] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 339.836616] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 339.850324] 8021q: adding VLAN 0 to HW filter on device batadv0 00:58:10 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x2) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) prctl$PR_SET_THP_DISABLE(0x29, 0x0) getsockname(0xffffffffffffffff, 0x0, 0x0) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x54}, 0x98) 00:58:10 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:10 executing program 4: bpf$MAP_CREATE(0x0, &(0x7f0000214fd4)={0x2, 0x4, 0x4, 0x234, 0x0, 0xffffffffffffffff, 0x0, [0x305f, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb00]}, 0x2c) 00:58:10 executing program 2: bpf$MAP_CREATE(0x0, &(0x7f0000214fd4)={0x8, 0x4, 0x4, 0x234, 0x0, 0xffffffffffffffff, 0x0, [0x305f, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb00]}, 0x2c) 00:58:10 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) 00:58:10 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB="056304400000000000634040000000000000000000e8d70000000000000000000000ff0000000300009e0f0000000000000000000000000000000000000000fe00000000000000000000000000003bff23b9801eb0f235d8c435ae4a67b4c47d9bcef0d774ad3fb80e29d4a80fd2b378921b84848948e3f58c716c123d03e4f33ed71184c4271b59fdd53049a4219be3c33cbc65eb5a71bc2a452d6e01412bf5d0da54abcd48b8970a5452f29e3516bdc5f2d259706bddfba94292e00ab3a1df1ac941982867473d3898fd0821ae1a17af8032f393e82b5145aee8548e3e16bb532e7ebf8487507718cff6279c973b65e2de6067208fd8a4c71a14c4a3d2c1c07048f352b2b34b2f925e31ad5c27a04cedf73232ed983760f9abf27f776e9b547fcaa278f970c70b7c9614ffabeeda7eb54940659eb38ead96ec53237548eeedf9b8942716aaf6a3c9f773"], 0x0, 0x0, 0x0}) [ 340.055099] binder: 12950:12952 got transaction to context manager from process owning it [ 340.069563] binder: release 12951:12955 transaction 591 out, still active [ 340.076655] binder: undelivered TRANSACTION_COMPLETE [ 340.095924] binder: 12954:12958 got transaction with invalid offset (0, min 0 max 0) or object. 00:58:10 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) [ 340.160730] binder: send failed reply for transaction 586 to 12950:12952 [ 340.168041] binder: send failed reply for transaction 591, target dead 00:58:10 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0xffffffffffffffff, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = mmap$binder(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x1, 0x84011, r1, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0xa8, 0x0, &(0x7f0000000380)=[@acquire={0x40046305, 0x4}, @increfs={0x40046304, 0x3}, @transaction={0x40406300, {0x1, 0x0, 0x1, 0x0, 0x11, 0x0, 0x0, 0x0, 0x48, &(0x7f0000000080), &(0x7f00000000c0)=[0x0, 0x48, 0x38, 0x38, 0x38, 0x28, 0x38, 0x0, 0x20]}}, @reply_sg={0x40486312, {{0x2, 0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x58, 0x30, &(0x7f0000000280)=[@fd={0x66642a85, 0x0, r1, 0x0, 0x2}, @flat={0x776a2a85, 0x100, r3, 0x4}, @ptr={0x70742a85, 0x1, &(0x7f0000000140), 0x1, 0x0, 0x30}], &(0x7f00000001c0)=[0x0, 0x48, 0x28, 0x0, 0x28, 0x38]}, 0x3}}, @decrefs], 0xee, 0x0, &(0x7f0000000440)="a9eccb06526a763928648b9b54f72915b902997ef9e301dcd310bbf0222fe16f885d35fcc5205cdfba374c5e76df0333eadf06968d6d43d998f1251cb61e8cacc8ff3b95797e1e2a4d9f9be96bfba151a846acef15b2264311022f8fbb5af60c782c98b1ee792ebe474eac8b461a89aac5be310f78ecdca895399d91d30a8bfc87ca2bd1b329023df58588eb54c65a135603549d1c4ecd9b7f230a00543713aa34de20a0805c8f3ece4387ca976b42df7327b9b64c3d9a0c2c285595c946badfe73511a1aa5c714615585cec5f9e4301a19b22e87dd2590e2a2d991aead5d1adc8125d1660762e713c07009ff471"}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 340.241393] binder: undelivered TRANSACTION_COMPLETE 00:58:10 executing program 4: perf_event_open(&(0x7f0000940000)={0x2, 0x70, 0xee6a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) getresuid(0x0, 0x0, 0x0) mount(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000380)='sysfs\x00*\x86OK\xc0\v\xce\x1b\xdb cr\x13\xb1\xe8\x94\xd1 q_\x9d\xc1\x12[\x04,r&\xeb\x016\xd9bN\xa1\xd23t\xa6`\xfeZ\xc1sr/\xd3g\xad\"\xe8U0%\xa2\xe8\xbe\v\xc5QCy\xafr\x13\xd3+\x8d]\x06\xdc\x8f\xbf,\x84\x9e\xd9\xcd\xef\xc7K\x03\xdf\xa9\xcbZ\x90\xb2\x8bK$\xd7\x86,=f\xfc\xa51g\xd5BB5CZ=\xbbv\xbc}0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = memfd_create(&(0x7f0000000040)='\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00', 0x0) write$binfmt_elf64(r1, &(0x7f0000000300)=ANY=[@ANYBLOB="7f454c4600000000000012000000000003003e00000000000000000400000000400000000000000000000035570007ef0000c914f53b380002000000ffff000003000000"], 0x44) ioctl$sock_inet6_tcp_SIOCOUTQNSD(0xffffffffffffffff, 0x894b, 0x0) clone(0x2102001ff8, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) write$P9_RREAD(r1, &(0x7f0000000140)=ANY=[@ANYBLOB="9200df00750200870000007939d94fbeda73c435e3d44b05a96f947e6fad6e0cc76ec14a0cc5ebcad142403c7bacd90181980867ab180fe09cbb8201db3497bbe9de17b9e3aa61c1db3a4b4d52aded956efb0002ace0feb2db09efd424bdcc289bafadfb73af6d79c3c6c1fa"], 0x6c) execveat(r1, &(0x7f0000000100)='\x00', 0x0, 0x0, 0x1000) 00:58:11 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) [ 340.916250] binder: release 12966:12968 transaction 595 out, still active [ 340.921234] binder_alloc: 12966: binder_alloc_buf, no vma [ 340.923398] binder: unexpected work type, 4, not freed [ 340.934239] binder: undelivered TRANSACTION_COMPLETE [ 340.994273] binder: send failed reply for transaction 595, target dead [ 341.106546] binder_transaction: 17 callbacks suppressed [ 341.106576] binder: 12995:12997 transaction failed 29189/-22, size 24-0 line 2896 00:58:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:11 executing program 2: seccomp(0x1, 0x0, &(0x7f0000001980)={0x1, &(0x7f0000000580)=[{0x6, 0x0, 0x0, 0xfffffffffffffffe}]}) r0 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = dup2(r0, r0) mkdirat(r1, &(0x7f0000000080)='./file0\x00', 0x0) fchmodat(r0, &(0x7f0000000340)='./file0\x00', 0x0) 00:58:11 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) lremovexattr(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)=@known='com.apple.system.Security\x00') r2 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/net/pfkey\x00', 0xc00, 0x0) ioctl$sock_SIOCGIFINDEX(0xffffffffffffff9c, 0x8933, &(0x7f0000000140)={'veth1_to_team\x00', 0x0}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'veth0\x00', r3}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB="05630440000000000000000000000000e8ffffff000000e6ffffffffffff9500000000000020000000fbd81b8fe016b8ce2663a1452dc6c784041ef3bd5f35d1188d7f08b5ebdff39a762068e00e261c8826"], 0x0, 0x0, 0x0}) ioctl$PERF_EVENT_IOC_DISABLE(r2, 0x2401, 0x0) 00:58:11 executing program 4: r0 = syz_open_dev$loop(&(0x7f00000004c0)='/dev/loop#\x00', 0x0, 0x0) ioctl$IOC_PR_PREEMPT_ABORT(r0, 0x401870cc, 0x0) 00:58:11 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) [ 341.414386] binder: 13010:13014 transaction failed 29189/-22, size 0-8 line 2896 [ 341.467085] binder_release_work: 21 callbacks suppressed [ 341.467099] binder: undelivered TRANSACTION_ERROR: 29189 [ 341.506544] binder: 13018:13019 transaction failed 29189/-22, size 24-0 line 2896 [ 341.537071] binder: 13020:13024 unknown command 0 [ 341.544230] binder: 13020:13024 ioctl c0306201 200005c0 returned -22 [ 341.576690] binder: undelivered TRANSACTION_ERROR: 29189 00:58:11 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x2) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) prctl$PR_SET_THP_DISABLE(0x29, 0x0) getsockname(0xffffffffffffffff, 0x0, 0x0) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x54}, 0x98) 00:58:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:11 executing program 4: socket$key(0xf, 0x3, 0x2) socket$key(0xf, 0x3, 0x2) r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x0, 0x0) socket$key(0xf, 0x3, 0x2) readv(r0, &(0x7f0000000440)=[{&(0x7f0000000080)=""/108, 0x6c}], 0x1) [ 341.620564] audit: type=1326 audit(1551488291.665:32): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=13013 comm="syz-executor.2" exe="/root/syz-executor.2" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45ac8a code=0xffff0000 00:58:11 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) 00:58:11 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 341.845819] binder: release 13033:13036 transaction 616 out, still active [ 341.851741] binder: 13029:13035 got transaction with invalid offset (0, min 0 max 0) or object. [ 341.853182] binder: undelivered TRANSACTION_COMPLETE [ 341.861969] binder: 13029:13035 transaction failed 29201/-22, size 0-8 line 3097 [ 341.925290] binder: send failed reply for transaction 612 to 13020:13024 [ 341.932243] binder: send failed reply for transaction 616, target dead [ 341.939060] binder: undelivered TRANSACTION_ERROR: 29201 [ 341.944817] binder: undelivered TRANSACTION_COMPLETE [ 341.949952] binder: undelivered TRANSACTION_ERROR: 29189 00:58:12 executing program 1: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer\x00', 0x2, 0x0) setsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, 0x0, 0x0) write$sndseq(r1, &(0x7f0000000040)=[{0xffffff94, 0x0, 0x0, 0x0, @tick, {}, {}, @quote}], 0xff33) 00:58:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 342.047344] binder: 13040:13042 transaction failed 29189/-22, size 24-8 line 2896 00:58:12 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0x0, 0x802) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffd7d, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 342.272747] audit: type=1326 audit(1551488292.315:33): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=13013 comm="syz-executor.2" exe="/root/syz-executor.2" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45ac8a code=0xffff0000 [ 342.280976] binder: 13049:13050 transaction failed 29189/-22, size 0-8 line 2896 [ 342.304570] binder: undelivered TRANSACTION_ERROR: 29189 [ 342.409255] binder: undelivered TRANSACTION_ERROR: 29189 [ 342.417245] binder: 13054:13055 ioctl c0306201 20000000 returned -14 [ 342.455106] binder: 13054:13055 got transaction to context manager from process owning it [ 342.463746] binder: 13054:13055 transaction failed 29201/-22, size 0-0 line 2887 00:58:12 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) r3 = openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$UI_BEGIN_FF_ERASE(r1, 0xc00c55ca, &(0x7f00000033c0)={0x1, 0x0, 0x867c}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r3, 0x28, 0x0, &(0x7f00000005c0)=0x1492000, 0x8) semget(0x0, 0x4, 0x4) ioctl$RTC_EPOCH_SET(r3, 0x4008700e, 0x9) ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x80000000) openat(0xffffffffffffffff, &(0x7f0000000000)='./file0/file0\x00', 0x181000, 0x8) 00:58:12 executing program 4: r0 = syz_open_dev$admmidi(0x0, 0x40, 0x0) ioctl$RTC_WIE_ON(r0, 0x700f) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(0xffffffffffffffff, 0x28, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_REM(r1, 0x84, 0x65, 0x0, 0x0) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x2) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) prctl$PR_SET_THP_DISABLE(0x29, 0x0) getsockname(0xffffffffffffffff, 0x0, 0x0) r3 = accept4(r1, 0x0, 0x0, 0x0) getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r2, 0x84, 0x77, 0x0, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r2, 0x84, 0x1f, &(0x7f00000000c0)={0x0, @in={{0x2, 0x0, @broadcast}}, 0xffff, 0x7}, 0x0) ioctl$sock_kcm_SIOCKCMATTACH(r3, 0x89e0, &(0x7f0000000040)={r3, r0}) setsockopt$IP6T_SO_SET_REPLACE(0xffffffffffffffff, 0x29, 0x40, 0x0, 0x0) getsockopt$inet_sctp_SCTP_STATUS(0xffffffffffffffff, 0x84, 0xe, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x54}, 0x98) 00:58:12 executing program 5: perf_event_open(&(0x7f0000940000)={0x2, 0x70, 0xee6a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) mount(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000380)='sysfs\x00*\x86OK\xc0\v\xce\x1b\xdb cr\x13\xb1\xe8\x94\xd1 q_\x9d\xc1\x12[\x04,r&\xeb\x016\xd9bN\xa1\xd23t\xa6`\xfeZ\xc1sr/\xd3g\xad\"\xe8U0%\xa2\xe8\xbe\v\xc5QCy\xafr\x13\xd3+\x8d]\x06\xdc\x8f\xbf,\x84\x9e\xd9\xcd\xef\xc7K\x03\xdf\xa9\xcbZ\x90\xb2\x8bK$\xd7\x86,=f\xfc\xa51g\xd5BB5CZ=\xbbv\xbc}0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000140)=0x2c) getsockopt$inet_sctp6_SCTP_DELAYED_SACK(r2, 0x84, 0x10, &(0x7f0000000280)=@assoc_value={r3, 0x3}, &(0x7f00000002c0)=0x8) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) fcntl$setpipe(r0, 0x407, 0x81) getsockopt$sock_cred(r4, 0x1, 0x11, &(0x7f0000000380)={0x0}, &(0x7f00000003c0)=0xc) getsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f0000000400)={{{@in=@initdev, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in6=@ipv4={[], [], @loopback}}}, &(0x7f0000000500)=0xe8) fstat(r5, &(0x7f0000000540)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000680)={r6, r7, r8}, 0xc) ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 342.665136] binder: undelivered TRANSACTION_ERROR: 29201 [ 342.670782] binder: send failed reply for transaction 621 to 13054:13055 [ 342.739177] binder: undelivered TRANSACTION_COMPLETE [ 342.744564] binder: undelivered TRANSACTION_ERROR: 29189 [ 342.869055] binder: 13068:13073 got transaction to context manager from process owning it [ 342.877649] binder: 13068:13073 transaction failed 29201/-22, size 0-0 line 2887 [ 342.945232] binder: 13077:13078 got transaction with invalid offset (0, min 0 max 24) or object. [ 342.954376] binder: 13077:13078 transaction failed 29201/-22, size 24-8 line 3097 00:58:13 executing program 5: perf_event_open(&(0x7f0000000200)={0x5, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, @perf_bp={0x0, 0x8}}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) [ 343.002453] binder: undelivered TRANSACTION_ERROR: 29201 00:58:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:13 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="05630440000000000063404000000000000000000000000000000000ff0f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], 0x0, 0x0, 0x0}) [ 343.116382] binder: undelivered TRANSACTION_ERROR: 29201 [ 343.122217] binder: send failed reply for transaction 627 to 13068:13073 [ 343.137901] binder: undelivered TRANSACTION_COMPLETE 00:58:13 executing program 1: r0 = socket$inet_icmp_raw(0x2, 0x3, 0x1) setsockopt(r0, 0x100000000000ff, 0x1, 0x0, 0x0) [ 343.234193] binder: 13086:13087 transaction failed 29189/-22, size 24-8 line 2896 [ 343.347723] binder: 13092:13093 got transaction to context manager from process owning it 00:58:13 executing program 5: r0 = socket(0x11, 0x4000000000080002, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) sendmmsg(r0, &(0x7f0000000100)=[{{&(0x7f0000000040)=@l2, 0x80, 0x0}}, {{&(0x7f0000000040)=@nfc={0x27, 0x9}, 0x80, 0x0}}], 0x2, 0x0) 00:58:13 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) r3 = openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$UI_BEGIN_FF_ERASE(r1, 0xc00c55ca, &(0x7f00000033c0)={0x1, 0x0, 0x867c}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r3, 0x28, 0x0, &(0x7f00000005c0)=0x1492000, 0x8) semget(0x0, 0x4, 0x4) ioctl$RTC_EPOCH_SET(r3, 0x4008700e, 0x9) ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x80000000) openat(0xffffffffffffffff, &(0x7f0000000000)='./file0/file0\x00', 0x181000, 0x8) 00:58:13 executing program 1: bpf$MAP_CREATE(0x0, &(0x7f0000000040)={0x5, 0x7, 0x1, 0x3, 0x0, 0xffffffffffffffff, 0x0, [0x15]}, 0x2c) [ 343.671238] binder: send failed reply for transaction 635 to 13092:13093 [ 343.681222] binder: undelivered TRANSACTION_COMPLETE 00:58:13 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) prlimit64(0x0, 0x0, 0x0, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000002740)={0xa, 0x0, 0x0, @local, 0x4}, 0x1c) sendmmsg(r0, &(0x7f0000007e00), 0x136a88c8311572c, 0x11) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x0, &(0x7f0000000040), 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x401, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x2000, 0x3, &(0x7f000000d000/0x2000)=nil) setsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, 0x0, 0x0) syz_open_dev$sndtimer(&(0x7f0000000000)='/dev/snd/timer\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_SELECT(0xffffffffffffffff, 0x40345410, &(0x7f0000001000)={{0x100000001}}) 00:58:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) 00:58:13 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$cec(&(0x7f0000000040)='/dev/cec#\x00', 0x1, 0x2) ioctl$SCSI_IOCTL_DOORLOCK(r2, 0x5380) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r3 = socket$inet6(0xa, 0x3, 0x3) bind$inet6(r3, &(0x7f0000000000), 0x1c) setpriority(0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_DISABLE(0xffffffffffffffff, 0x2401, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:13 executing program 5: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000200)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0xffffffce}}, &(0x7f0000000240)='EP\xd4\x00\x1f\x91\xeb/W\xb72$C0%\x03\x9c0\x96\xb2\fkC\x93H\xbfh\x9c\b`\x857\xd6\">c\xad\xc0bO\xba\xe2\xe1\t5\x9d\xcei\"2L\xcc\x13\x16\vh\xca\xe6C\x06\x97%\x9d\xd5-\x1fs\xe1j\xdc5\x92\xd0)%\xdf\xfa\xe8^\x9c\xd29\x8clg\xc8\x7f\xb5\xb1&\x02\xf1E\xb4\x84\xbeE\x91)f\xe8\xb7\xe2\xf6`i\xc5m\xd7l\x1d\xc1\x12\x01<:kM\xe9\x99\xcd\xcd\xc8\x85Z\xee47\xdc\xc8u\x80\xcf\xbeTo\xbb\xfb\xc0\xebV\xd8\xbb\xbe\xa2\x90J|s\xc2', 0x1, 0x348, &(0x7f0000000480)=""/195}, 0x48) [ 343.830499] binder: 13108:13109 got transaction to context manager from process owning it [ 343.841947] binder: 13113:13114 got transaction with invalid offset (0, min 0 max 24) or object. 00:58:14 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0xfffffffffffffe2a, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) prctl$PR_GET_PDEATHSIG(0x2, &(0x7f0000000000)) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:14 executing program 1: r0 = epoll_create(0x7f) r1 = syz_open_dev$vcsa(&(0x7f0000000080)='/dev/vcsa#\x00', 0x1ff, 0x0) ioctl$FICLONE(r0, 0x5451, r1) [ 343.990365] binder: send failed reply for transaction 641 to 13108:13109 [ 344.007577] binder: undelivered TRANSACTION_COMPLETE 00:58:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) 00:58:14 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) r3 = openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$UI_BEGIN_FF_ERASE(r1, 0xc00c55ca, &(0x7f00000033c0)={0x1, 0x0, 0x867c}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r3, 0x28, 0x0, &(0x7f00000005c0)=0x1492000, 0x8) semget(0x0, 0x4, 0x4) ioctl$RTC_EPOCH_SET(r3, 0x4008700e, 0x9) ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x80000000) openat(0xffffffffffffffff, &(0x7f0000000000)='./file0/file0\x00', 0x181000, 0x8) [ 344.129041] binder: 13123:13124 got transaction to context manager from process owning it 00:58:14 executing program 5: r0 = syz_open_dev$admmidi(&(0x7f00000001c0)='/dev/admmidi#\x00', 0x40, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(0xffffffffffffffff, 0x28, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_REM(r1, 0x84, 0x65, 0x0, 0x0) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x2) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) prctl$PR_SET_THP_DISABLE(0x29, 0x0) getsockname(0xffffffffffffffff, 0x0, 0x0) r3 = accept4(r1, 0x0, 0x0, 0x0) getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000480)={0x0, @in={{0x2, 0x4e21, @remote}}, 0xdfa0000000000000, 0x0, 0x0, 0x4, 0x21}, 0x98) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r2, 0x84, 0x77, &(0x7f0000000000)={0x0, 0x3, 0x4, [0x0, 0x1000, 0x3, 0xcb8b]}, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x1f, 0x0, 0x0) ioctl$sock_kcm_SIOCKCMATTACH(r3, 0x89e0, 0x0) setsockopt$IP6T_SO_SET_REPLACE(0xffffffffffffffff, 0x29, 0x40, 0x0, 0x0) getsockopt$inet_sctp_SCTP_STATUS(0xffffffffffffffff, 0x84, 0xe, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x54}, 0x98) 00:58:14 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000040)={0x1, 0x8, 0x1, 0x3}, 0x3cf) [ 344.291248] binder_alloc: 13123: binder_alloc_buf failed to map pages in userspace, no vma 00:58:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x40, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = add_key$keyring(&(0x7f00000002c0)='keyring\x00', &(0x7f0000000280)={'syz'}, 0x0, 0x0, 0xfffffffffffffffd) keyctl$unlink(0x9, r0, 0xfffffffffffffffd) 00:58:14 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) 00:58:14 executing program 4: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000001380)={0xffffffffffffffff, 0xffffffffffffffff}) socket$inet(0x10, 0x0, 0x0) syz_genetlink_get_family_id$tipc(0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x800000000000012, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) creat(0x0, 0x800000) getrandom(0x0, 0x0, 0x3) [ 344.646488] binder: 13147:13148 got transaction to context manager from process owning it [ 344.732139] binder: release 13152:13153 transaction 657 out, still active [ 344.739270] binder: undelivered TRANSACTION_COMPLETE 00:58:14 executing program 1: mkdir(&(0x7f0000000080)='./file0\x00', 0x0) mount(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000380)='sysfs\x00*\x86OK\xc0\v\xce\x1b\xdb cr\x13\xb1\xe8\x94\xd1 q_\x9d\xc1\x12[\x04,r&\xeb\x016\xd9bN\xa1\xd23t\xa6`\xfeZ\xc1sr/\xd3g\xad\"\xe8U0%\xa2\xe8\xbe\v\xc5QCy\xafr\x13\xd3+\x8d]\x06\xdc\x8f\xbf,\x84\x9e\xd9\xcd\xef\xc7K\x03\xdf\xa9\xcbZ\x90\xb2\x8bK$\xd7\x86,=f\xfc\xa51g\xd5BB5CZ=\xbbv\xbc}0x0}) r3 = mmap$binder(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x2, 0x4110, r0, 0x38) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000400)={0x60, 0x0, &(0x7f0000000280)=[@exit_looper, @free_buffer={0x40086303, r2}, @transaction_sg={0x40486311, {{0x3, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x30, 0x30, &(0x7f00000000c0)=[@fd={0x66642a85, 0x0, r0, 0x0, 0x4}, @flat={0x776a2a85, 0x10a, r3, 0x4}], &(0x7f0000000100)=[0x78, 0x20, 0x0, 0x38, 0x78, 0x0]}}}, @enter_looper], 0x47, 0x0, &(0x7f0000000380)="56e8d6b406f1b31598bd98a2129928670908c27627647bb1ed9d9456d6730c3c66d51927afad8299b863d8ba624e874ae030660fdbbe6b43ba060c597ec7e78a7b76401dc6c60f"}) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000500)={0x4, 0x0, &(0x7f0000000440)=[@enter_looper], 0x4c, 0x0, &(0x7f0000000480)="0f38bd3a5e55b8b2e1d8028b4cfa56108e0cbdbe17b15887dcf4c24950811c33881ced99a2eee1b114359666e04f403a2cfdf0cbee9cf3cfec5c1811190d767a565876c12e201c3b369e2227"}) lsetxattr$security_smack_entry(&(0x7f0000000780)='./file0\x00', &(0x7f00000007c0)='security.SMACK64\x00', &(0x7f0000000800)='/dev/midi#\x00', 0xb, 0x3) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) r5 = syz_open_dev$midi(&(0x7f0000000540)='/dev/midi#\x00', 0x7, 0x8c000) r6 = syz_genetlink_get_family_id$tipc(&(0x7f0000000680)='TIPC\x00') sendmsg$TIPC_CMD_GET_REMOTE_MNG(r5, &(0x7f0000000740)={&(0x7f0000000580)={0x10, 0x0, 0x0, 0x9a3daeca49ab305e}, 0xc, &(0x7f0000000700)={&(0x7f00000006c0)={0x1c, r6, 0x300, 0x70bd27, 0x25dfdbfd, {}, ["", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x40}, 0x20000080) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="05630440000000000063404000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000fa5ae0a645337d6137493082c5a83c5045c51cf4986e7e7a40f22c117fbf401c946c970c849489ac6c1ceb6d621711500591e85d503f57b588f7749b02da4bbbe5b6df195c251dfd9dab89cbb17d48b692cfdd81209fb09d51e07594b09fe0431785521e75c4eed80f37287d7f3e15afacd6ea"], 0x0, 0x0, 0x0}) ioctl$TIOCGETD(r5, 0x5424, &(0x7f0000000600)) 00:58:15 executing program 1: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000200)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0x5, 0x10}}, &(0x7f0000000240)='EP\xd4\x00\x1f\x91\xeb/W\xb72$C0%\x03\x9c0\x96\xb2\fkC\x93H\xbfh\x9c\b`\x857\xd6\">c\xad\xc0bO\xba\xe2\xe1\t5\x9d\xcei\"2L\xcc\x13\x16\vh\xca\xe6C\x06\x97%\x9d\xd5-\x1fs\xe1j\xdc5\x92\xd0)%\xdf\xfa\xe8^\x9c\xd29\x8clg\xc8\x7f\xb5\xb1&\x02\xf1E\xb4\x84\xbeE\x91)f\xe8\xb7\xe2\xf6`i\xc5m\xd7l\x1d\xc1\x12\x01<:kM\xe9\x99\xcd\xcd\xc8\x85Z\xee47\xdc\xc8u\x80\xcf\xbeTo\xbb\xfb\xc0\xebV\xd8\xbb\xbe\xa2\x90J|s\xc2', 0x1, 0x348, &(0x7f0000000480)=""/195}, 0x48) [ 345.111818] binder: send failed reply for transaction 652 to 13147:13148 [ 345.118896] binder: send failed reply for transaction 657, target dead [ 345.141837] binder: undelivered TRANSACTION_COMPLETE 00:58:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) 00:58:15 executing program 5: perf_event_open(&(0x7f0000000100)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ashmem\x00', 0x0, 0x0) ioctl$ASHMEM_PURGE_ALL_CACHES(r0, 0x770a, 0x0) [ 345.386837] binder: 13181:13182 BC_FREE_BUFFER u0000000000000000 no match [ 345.394004] binder: 13181:13182 got transaction to invalid handle 00:58:15 executing program 1: r0 = socket$can_bcm(0x1d, 0x2, 0x2) connect$can_bcm(r0, &(0x7f0000000440), 0x10) sendmsg$can_bcm(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)={0x5, 0x0, 0x0, {}, {0x77359400}, {}, 0x1, @can={{}, 0x0, 0x0, 0x0, 0x0, "934341c138c7f1bf"}}, 0x48}}, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") sendmsg$can_bcm(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000480)={0x6, 0x0, 0x0, {0x77359400}, {0x77359400}, {}, 0x1, @can={{}, 0x0, 0x0, 0x0, 0x0, "197105f76ac7511b"}}, 0x48}}, 0x0) 00:58:15 executing program 4: perf_event_open(&(0x7f0000000080)={0x2, 0x70, 0x910, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$PERF_EVENT_IOC_SET_BPF(r1, 0x40042408, 0xffffffffffffffff) 00:58:15 executing program 0: r0 = socket(0x3, 0x802, 0x9501) ioctl$sock_inet6_tcp_SIOCINQ(r0, 0x541b, &(0x7f0000000040)) r1 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x2000008, 0x102010, r1, 0x36) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="0563044000000000006340400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], 0x0, 0x0, 0x0}) 00:58:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) 00:58:15 executing program 5: socketpair$unix(0x1, 0x80000000002, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='memory.events\x00', 0x26e1, 0x0) getpid() perf_event_open(&(0x7f00000002c0)={0x2, 0x70, 0x3, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) write$cgroup_subtree(r1, &(0x7f0000000200)=ANY=[@ANYRES16=0x0], 0x2) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700) 00:58:15 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) r3 = openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$UI_BEGIN_FF_ERASE(r1, 0xc00c55ca, &(0x7f00000033c0)={0x1, 0x0, 0x867c}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r3, 0x28, 0x0, &(0x7f00000005c0)=0x1492000, 0x8) semget(0x0, 0x4, 0x4) ioctl$RTC_EPOCH_SET(r3, 0x4008700e, 0x9) ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x80000000) [ 345.797809] binder_alloc: 13201: binder_alloc_buf, no vma [ 345.836315] binder: 13201:13203 got transaction to context manager from process owning it 00:58:15 executing program 1: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000200)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0xffffff85, 0x10}}, &(0x7f0000000240)='EP\xd4\x00\x1f\x91\xeb/W\xb72$C0%\x03\x9c0\x96\xb2\fkC\x93H\xbfh\x9c\b`\x857\xd6\">c\xad\xc0bO\xba\xe2\xe1\t5\x9d\xcei\"2L\xcc\x13\x16\vh\xca\xe6C\x06\x97%\x9d\xd5-\x1fs\xe1j\xdc5\x92\xd0)%\xdf\xfa\xe8^\x9c\xd29\x8clg\xc8\x7f\xb5\xb1&\x02\xf1E\xb4\x84\xbeE\x91)f\xe8\xb7\xe2\xf6`i\xc5m\xd7l\x1d\xc1\x12\x01<:kM\xe9\x99\xcd\xcd\xc8\x85Z\xee47\xdc\xc8u\x80\xcf\xbeTo\xbb\xfb\xc0\xebV\xd8\xbb\xbe\xa2\x90J|s\xc2', 0x1, 0x348, &(0x7f0000000480)=""/195}, 0x48) 00:58:15 executing program 4: r0 = socket$inet6(0xa, 0x80001, 0x0) setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x2a, &(0x7f0000fca000)={0x100000001, {{0xa, 0x0, 0x0, @mcast1}}}, 0x88) setsockopt$inet6_MCAST_MSFILTER(r0, 0x29, 0x30, &(0x7f00000004c0)={0x1, {{0xa, 0x0, 0x0, @mcast1}}, 0x0, 0x4, [{{0xa, 0x4e21, 0x400, @loopback, 0x1}}, {{0xa, 0x4e21, 0x3, @remote, 0x2}}, {{0xa, 0x4e20, 0x9, @mcast1, 0x5}}, {{0xa, 0x0, 0x0, @loopback}}]}, 0x290) [ 345.869110] binder_alloc: 13201: binder_alloc_buf, no vma 00:58:16 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000080)='/dev/null\x00', 0x40040, 0x0) ioctl$TUNATTACHFILTER(r2, 0x401054d5, &(0x7f0000000140)={0xa, &(0x7f00000000c0)=[{0x6, 0x5, 0x9, 0x2}, {0x2, 0x3ff, 0x3, 0xfffffffffffffff7}, {0x7ff, 0x8, 0x1ff, 0xfffffffffffffff9}, {0x5, 0x3ff, 0x97, 0x1000000000}, {0xb962, 0x8000, 0xfffffffffffffffd, 0x6}, {0x7fff, 0x4, 0xffffffffffffffa8, 0x7fff}, {0x7, 0x5a2, 0x1, 0x5d9}, {0x9, 0x3, 0x4, 0x5}, {0x5, 0x150b, 0x8, 0x1}, {0x6, 0xfffffffffffffffb, 0x1}]}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) 00:58:16 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$can_raw(0x1d, 0x3, 0x1) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000440)={'vcan0\x00', 0x0}) r2 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_TX_RING(r2, 0x11b, 0x3, &(0x7f00000000c0)=0x2, 0xc6) setsockopt$XDP_UMEM_REG(r2, 0x11b, 0x4, &(0x7f0000000080)={&(0x7f0000000000)=""/17, 0x2000, 0x1000}, 0x48) setsockopt$XDP_UMEM_FILL_RING(r2, 0x11b, 0x5, &(0x7f00000008c0)=0x8, 0x4) setsockopt$XDP_UMEM_FILL_RING(r2, 0x11b, 0x5, &(0x7f0000000040)=0x20040, 0x4) setsockopt$XDP_UMEM_COMPLETION_RING(r2, 0x11b, 0x6, &(0x7f00000002c0)=0x80, 0x4) bind$xdp(r2, &(0x7f0000000300)={0x2c, 0x0, r1}, 0x10) dup3(r0, r2, 0x0) 00:58:16 executing program 4: setsockopt$IPT_SO_SET_REPLACE(0xffffffffffffffff, 0x0, 0x40, &(0x7f0000000100)=ANY=[@ANYBLOB="73656375726974790000000000000000000000000000010000000000000000000e00000004000000480300002801000000000000280100002801"], 0x1) clone(0x3102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() futex(&(0x7f0000000140)=0x2, 0x0, 0x2, 0x0, 0x0, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0xf) write$P9_RREAD(0xffffffffffffffff, &(0x7f0000000100)=ANY=[@ANYBLOB="591402d07701000000cd8fbc162c4d8524e04aba6397600900000056efc427482e7d3691c700cd3edfa7afe309000000000000000000000000"], 0x39) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ptrace$cont(0x18, r0, 0x0, 0x0) ptrace$setregs(0xd, r0, 0x0, &(0x7f00000000c0)) ptrace$cont(0x1f, r0, 0x0, 0x0) 00:58:16 executing program 1: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070") r1 = socket$netlink(0x10, 0x3, 0x0) recvmmsg(r1, &(0x7f0000002d80), 0x400000000000368, 0x1a002, &(0x7f0000000180)={0x77359400}) sendmsg$nl_generic(r1, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000003c0)=ANY=[@ANYBLOB="1400000042000501010000000000000000d3902ffd4cd47ca788bb000000090000008b0f9fc81724c7280822a0ad8acf413b7d4f53d00aa5ff27d1e3f3a51fc5a9aefcb6824a1958f3ff941827c3c58385020438f64a8a78162e27ea9c508c971534fa3df000ea619260b80fd589a9a52c3739ad071d0c7c8f57e5dc9a047eef9b37b03e5fb7ad18adc715503259dc0bd05005fdec5a520fa46e897b34ee632fad1da29a8a669aa7e23d832b3a66ec2c2633fc922c57820fb9919218596ea48e482bb43642568c6387dd8923bcbf8a27fb0079844a0c18421e"], 0x1}}, 0x0) [ 346.265452] binder: 13224:13226 got transaction to context manager from process owning it [ 346.273966] binder_transaction: 12 callbacks suppressed [ 346.273999] binder: 13224:13226 transaction failed 29201/-22, size 0-0 line 2887 [ 346.332850] binder: release 13227:13228 transaction 672 out, still active [ 346.339821] binder: undelivered TRANSACTION_COMPLETE 00:58:16 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) r3 = openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$UI_BEGIN_FF_ERASE(r1, 0xc00c55ca, &(0x7f00000033c0)={0x1, 0x0, 0x867c}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r3, 0x28, 0x0, &(0x7f00000005c0)=0x1492000, 0x8) semget(0x0, 0x4, 0x4) ioctl$RTC_EPOCH_SET(r3, 0x4008700e, 0x9) 00:58:16 executing program 3: r0 = socket$netlink(0x10, 0x3, 0x0) recvmmsg(r0, &(0x7f0000002d80), 0x400000000000368, 0x1a002, &(0x7f0000000180)={0x77359400}) sendmsg$nl_generic(r0, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000003c0)=ANY=[@ANYBLOB="1400000042000501010000000000000000d3902ffd4cd47ca788bb000000090000008b0f9fc81724c7280822a0ad8acf413b7d4f53d00aa5ff27d1e3f3a51fc5a9aefcb6824a1958f3ff941827c3c58385020438f64a8a78162e27ea9c508c971534fa3df000ea619260b80fd589a9a52c3739ad071d0c7c8f57e5dc9a047eef9b37b03e5fb7ad18adc715503259dc0bd05005fdec5a520fa46e897b34ee632fad1da29a8a669aa7e23d832b3a66ec2c2633fc922c57820fb9919218596ea48e482bb43642568c6387dd8923bcbf8a27fb0079844a0c18421e"], 0x1}}, 0x0) 00:58:16 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4c, 0x0, &(0x7f0000000280)=[@transaction_sg={0x40486311, {{0x2, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x20, 0x10, &(0x7f0000000040)=[@fda={0x66646185, 0x7, 0x0, 0x18}], &(0x7f0000000080)=[0x38, 0x78]}, 0x6}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x80000, 0x0) readlinkat(r3, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000200)=""/107, 0x6b) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 346.516108] binder_release_work: 17 callbacks suppressed [ 346.516122] binder: undelivered TRANSACTION_ERROR: 29201 [ 346.527657] binder: send failed reply for transaction 667 to 13224:13226 [ 346.534598] binder: send failed reply for transaction 672, target dead [ 346.602887] binder: undelivered TRANSACTION_COMPLETE [ 346.608090] binder: undelivered TRANSACTION_ERROR: 29189 00:58:16 executing program 4: perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socket$nl_xfrm(0x10, 0x3, 0x6) getsockopt$IP_VS_SO_GET_INFO(0xffffffffffffffff, 0x0, 0x481, 0x0, 0x0) ioctl$TUNSETTXFILTER(0xffffffffffffffff, 0x400454d1, &(0x7f0000000040)=ANY=[@ANYBLOB]) ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c00, 0xffffffffffffffff) creat(&(0x7f0000000000)='./file0\x00', 0x30) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x20000102000007) clone(0x2102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() clone(0x3000000a0160100, 0x0, 0x0, 0x0, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x11) wait4(0x0, 0x0, 0x0, 0x0) 00:58:16 executing program 5: syz_open_dev$admmidi(&(0x7f00000001c0)='/dev/admmidi#\x00', 0x40, 0x8000) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(0xffffffffffffffff, 0x28, 0x0, 0x0, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_REM(r0, 0x84, 0x65, 0x0, 0x0) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x2) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(0xffffffffffffffff, 0x84, 0x77, 0x0, 0x0) ioctl$sock_kcm_SIOCKCMATTACH(0xffffffffffffffff, 0x89e0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x54}, 0x98) [ 346.689661] binder: 13248:13250 got transaction to invalid handle [ 346.696113] binder: 13248:13250 transaction failed 29201/-22, size 32-16 line 2896 [ 346.716807] binder: 13248:13250 got transaction to context manager from process owning it [ 346.725415] binder: 13248:13250 transaction failed 29201/-22, size 0-0 line 2887 00:58:16 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000e1ffffff00000000000000000041e1721f8b2b5256cee02a2079160000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="0563044000000000006340400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000099000000002348fdd4aa48360765ab5aa27d84faebe3fdec3773f9a0d66c713ca24d748a3e5e7f608509c525cb208a6f00aab573c8926d1aa691bdfbceec96586d88258b8312e8b6007a6e2e98bc2f000000000000000000000000006219c17729e20e82589e003bafcd6c607f6dbd44943f82ae96748cb5550ce7ddb6312b90"], 0x0, 0x0, 0x0}) [ 346.860544] binder: undelivered TRANSACTION_ERROR: 29201 [ 346.867334] binder: undelivered TRANSACTION_ERROR: 29201 00:58:16 executing program 4: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000480)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) seccomp(0x2, 0x0, 0x0) [ 346.964279] binder_alloc: 13266: binder_alloc_buf size 137816121392 failed, no address space [ 346.973196] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) [ 346.982373] binder: 13266:13267 transaction failed 29201/-28, size 377036842-137439084544 line 3035 [ 347.031875] binder: 13266:13270 got transaction to context manager from process owning it [ 347.040627] binder: 13266:13270 transaction failed 29201/-22, size 0-0 line 2887 00:58:17 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) fsetxattr$trusted_overlay_upper(r1, &(0x7f0000000080)='trusted.overlay.upper\x00', &(0x7f00000000c0)={0x0, 0xfb, 0x80, 0x2, 0x7, "fa1bbfd32e05ea306d4e9befbde77954", "cbdc87ce3b8a387c9dcf9cedd7d8e0e039808e4bc9049ebaaf21916eb9f0e8f0bff106008fc3f0f4b4dd8737c99619f1427c06d2e725ce7a2c0183e677cee93b99513c0bfdc21c547f3988a1e7f000a9d5a871c7b7c0d74859305f8f80352ca67663c0d413572c557b5866"}, 0x80, 0x3) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300ee0000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$sock_inet_SIOCSIFPFLAGS(r2, 0x8934, &(0x7f0000000140)={'netdevsim0\x00', 0x6}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 347.149653] binder: undelivered TRANSACTION_ERROR: 29201 [ 347.156349] binder: undelivered TRANSACTION_ERROR: 29201 00:58:17 executing program 5: r0 = openat$cgroup(0xffffffffffffffff, &(0x7f0000000700)='syz1\x00', 0x200002, 0x0) r1 = openat$cgroup_ro(r0, 0x0, 0x0, 0x0) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffa0008000, 0x0, 0x0, 0x0, 0x0}, 0x28) sendmsg(0xffffffffffffffff, &(0x7f0000002a80)={0x0, 0x0, 0x0}, 0x0) openat$cgroup_int(r1, &(0x7f0000000940)='hugetlb.2MB.limit_in_bytes\x00', 0x2, 0x0) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, 0x0, 0x0}, 0x20) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$cgroup_ro(0xffffffffffffffff, 0x0, 0x2761, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(0xffffffffffffffff, 0x4008240b, 0x0) perf_event_open$cgroup(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0xffffffffffffffff, 0x0, 0xffffffffffffff9c, 0x0) bpf$BPF_MAP_GET_FD_BY_ID(0xe, 0x0, 0x0) r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000001a00)='/dev/net/tun\x00', 0x1, 0x0) write$cgroup_int(r2, 0x0, 0x0) ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000000)={'nr0\x01\x00', 0x3001}) bpf$MAP_GET_NEXT_KEY(0x4, &(0x7f00000006c0)={0xffffffffffffffff, 0x0, 0x0}, 0x18) r4 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r4) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000380)) ioctl$PERF_EVENT_IOC_SET_FILTER(r4, 0x8914, &(0x7f0000000e00)='nr0\x01\x00`\xa1\x9e\xf9\xd2\xc6s\xd9\xa1W\x1c\xb9\xe16\x9b\xcda\xef~Iy:\xe1\x87\x12\xec\xeb\x1d\xaav\x94\x97\x80\v\x7f\xbb\xd3[\x17\f\x10u\x1d9\xae\xb6`\xd8c\xe4\x9b\x8cO;=\xadH\x90+[-l\xfd\n\xbd7,c\xbc\xf5\xd7\r\xf3\xfdM.\x8dD<\x88\xbc\x0eV7\xdd\x82\xfc45\xbe\xd4\xde]i<\x9ax\x1c\x86>\x05\xd8\xa6\xf8h\x9a[\xe2\x92\x16\x06\x1f?\xf5?\x8bk9fx\xe7\xba\x15^\xf9\x15-~C\xb1\xec\xcb#1\xeb\x8e\xb1\xedU\x86\xdc\xf8\xb3\xb0\xb9\x996\x1aD\xff,\"\xc2\xab\xbe\xf4-\xd2N\xab\xe6r3F\xa6\xe4l\x04\x99\xa2\x14B\xd8\xd0\r\xcbW\xf0\x13\xffu\x95\xed\xd0\xff\ai0\xde6u\xd3A\x17\xa4N\xb0\xe4\xf82\x93m\xa4NW\xe4:>6\xbdH\xd2\xa8[\xf4\xfdJ\x80N\x83\xf2\xf3\xcf7\x8aCZ\xf5\xe2\x87\xd4\xe2s7\xb4\xad\xa1\x1b&!\x982\xeck+8Dk;\x95\xfe7q\xe9\xf4,\xa3\x0f\xb2\x1e\x12\xf0\xa3\xd8\xbc-\x85EJ\xf9\xfc\xc0#-\x8f\xd9\tD\x8b\x01\xf4lY=1\xea\x1c\x92de\xe3ZA\x99\a\x9c<\xa4\x11(\xb1|\xb0\x1f\xbf[R+\xe0\xfd\x02\x02*\xda7\xfe\xcc\x14\xb6\xc8\xc8\x83\x18\x83\xb8Z\x11\x06\xf2\xf8g\x02\rR\x9f\x17\xa3P\xf2\r\xd3\xbfQ\xa9\x8c\xfd\xa7\f.68\xa4\x83\xfd?\x87\x94\v\xb4x\xb0|L\x11\x03\x94\xc0\t=\x17\x95P\x89\xf2\xca\x97\xbb\xe0u\x12L\x9b\x1f\xf6P\rSj\x95\xd9o\x03\xd4\x85\x96\xe0\b\xbf\n\x02\x8bS\x9c\xecyl\xec\x9b\xf5\x85\xeb\x80\xfe>\r&') ioctl$PERF_EVENT_IOC_QUERY_BPF(0xffffffffffffffff, 0xc008240a, 0x0) write$cgroup_subtree(r3, &(0x7f0000000000)=ANY=[], 0x504) 00:58:17 executing program 4: openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000040)='/\x02roup.stap\x00', 0x2761, 0x0) write$cgroup_int(0xffffffffffffffff, 0x0, 0xb543a4ac5a3c1439) sync() openat$cgroup_int(0xffffffffffffffff, &(0x7f0000000040), 0x657, 0xfeffffff) 00:58:17 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) r3 = openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$UI_BEGIN_FF_ERASE(r1, 0xc00c55ca, &(0x7f00000033c0)={0x1, 0x0, 0x867c}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r3, 0x28, 0x0, &(0x7f00000005c0)=0x1492000, 0x8) semget(0x0, 0x4, 0x4) [ 347.308002] binder: 13276:13277 transaction failed 29201/-22, size 0-0 line 2887 00:58:17 executing program 1: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) bpf$MAP_CREATE(0x0, &(0x7f0000000500)={0x200000005, 0xa, 0x2000000000000009, 0x1}, 0x2c) 00:58:17 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) fremovexattr(r1, &(0x7f0000000400)=@random={'osx.', '\x00'}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20ncci\x00', 0x40, 0x0) getsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(0xffffffffffffffff, 0x84, 0x72, &(0x7f0000000080)={0x0, 0xfffffffffffffff8, 0x30}, &(0x7f00000000c0)=0xc) setsockopt$inet_sctp6_SCTP_MAXSEG(r2, 0x84, 0xd, &(0x7f0000000100)=@assoc_id=r3, 0x4) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff}) r5 = getpgrp(0x0) lstat(&(0x7f0000000140)='./file0\x00', &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_GET_CLIENT(r2, 0xc0286405, &(0x7f0000000380)={0x400, 0x954, r5, 0x0, r6, 0x0, 0x8, 0x6}) r7 = dup3(r1, r4, 0x80000) ioctl$sock_bt_bnep_BNEPCONNDEL(r2, 0x400442c9, &(0x7f00000003c0)={0x5, @local}) ioctl$PERF_EVENT_IOC_ENABLE(r7, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 347.553723] binder: undelivered TRANSACTION_ERROR: 29201 [ 347.559474] binder: send failed reply for transaction 682 to 13276:13277 00:58:17 executing program 3: r0 = socket$inet_icmp_raw(0x2, 0x3, 0x1) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) connect$inet(r0, &(0x7f0000000000)={0x2, 0x0, @loopback}, 0x10) r1 = socket$inet(0x2, 0x3, 0x7) setsockopt$inet_group_source_req(r1, 0x0, 0x2e, &(0x7f0000000300)={0x0, {{0x2, 0x0, @multicast1}}, {{0x2, 0x0, @broadcast}}}, 0x108) setsockopt$inet_int(r0, 0x0, 0x12, &(0x7f00000000c0)=0x1, 0x17) [ 347.599062] binder: undelivered TRANSACTION_COMPLETE [ 347.604534] binder: undelivered TRANSACTION_ERROR: 29189 00:58:17 executing program 4: r0 = getpid() sched_setattr(r0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x1, 0x0) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000580)='/dev/rtc0\x00', 0x20000, 0x0) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, 0x0) getgid() add_key$user(&(0x7f0000000600)='user\x00', &(0x7f0000000640)={'syz', 0x3}, &(0x7f00000007c0)="dca3c74b87c88ccd47653a443b23f6", 0xf, 0xfffffffffffffffc) ioctl$RTC_PIE_OFF(0xffffffffffffffff, 0x7006) r3 = request_key(&(0x7f0000000300)='encrypted\x00', &(0x7f0000000340)={'syz', 0x0}, &(0x7f0000000440)=':\x00', 0xfffffffffffffffc) keyctl$restrict_keyring(0x1d, r3, 0x0, &(0x7f00000004c0)='TRUE') stat(&(0x7f0000000a40)='./file0/../file0\x00', 0x0) add_key$user(&(0x7f00000006c0)='user\x00', &(0x7f0000000700)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) request_key(&(0x7f0000000140)='logon\x00', &(0x7f00000008c0)={'syz', 0x0}, 0x0, 0xfffffffffffffff8) linkat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x1400) fstat(0xffffffffffffffff, 0x0) setsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f0000000900)={{{@in6=@initdev={0xfe, 0x88, [], 0x0, 0x0}, @in6=@loopback, 0x4e23, 0x1, 0x4e24, 0x1000, 0xa, 0x80, 0xa0, 0x67}, {0x20, 0x8001, 0x3f, 0x7fff, 0x4, 0x2, 0x4, 0x61}, {0xbf73, 0x6, 0x401, 0x4}, 0x3, 0x6e6bb3, 0x3, 0x0, 0x3, 0x2}, {{@in6=@empty, 0x4d5, 0x6c}, 0x2, @in6=@mcast1, 0x3503, 0x2, 0x3, 0x2, 0x101, 0x78b2800000000}}, 0xe8) ioctl$DRM_IOCTL_SET_SAREA_CTX(0xffffffffffffffff, 0x4010641c, &(0x7f0000000b80)={0x0, &(0x7f0000000b00)=""/119}) setpgid(r0, r0) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x0, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x9, 0xbd49, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, r0, 0x0, 0xffffffffffffffff, 0x0) syz_genetlink_get_family_id$ipvs(&(0x7f0000000180)='IPVS\x00') setxattr$trusted_overlay_upper(&(0x7f0000000400)='./file0\x00', &(0x7f0000000480)='trusted.overlay.upper\x00', &(0x7f0000000500)={0x0, 0xfb, 0x4c, 0x6, 0x5, "fae6bc8cf1a5ca4bd5bbd3cdfa564485", "b5484f407fbc4e33194c715a92a38be87b7ef8659097a96061a752d6f651980e043b0c925bd4beb6ad57328dd4eec9ee787631db6244c9"}, 0x4c, 0x2) listen(r2, 0xd4) mkdir(&(0x7f0000000040)='./file0\x00', 0x40) dup2(0xffffffffffffffff, 0xffffffffffffffff) [ 347.681109] binder: 13297:13298 ioctl 8912 400200 returned -22 [ 347.688055] binder_transaction: 1 callbacks suppressed [ 347.688075] binder: 13297:13298 got transaction to context manager from process owning it [ 347.702218] binder: 13297:13298 transaction failed 29201/-22, size 0-0 line 2887 [ 347.714246] binder_alloc: binder_alloc_mmap_handler: 13297 20001000-20004000 already mapped failed -16 [ 347.724768] binder: BINDER_SET_CONTEXT_MGR already set [ 347.730274] binder: 13297:13299 ioctl 40046207 0 returned -16 [ 347.747454] binder_alloc: 13297: binder_alloc_buf, no vma [ 347.753366] binder: 13297:13298 transaction failed 29189/-3, size 24-8 line 3035 [ 347.787422] binder: 13297:13298 ioctl 8912 400200 returned -22 [ 347.808412] binder_alloc: 13297: binder_alloc_buf, no vma [ 347.814315] binder: 13297:13299 transaction failed 29189/-3, size 0-0 line 3035 00:58:17 executing program 1: setsockopt$IPT_SO_SET_REPLACE(0xffffffffffffffff, 0x0, 0x40, &(0x7f0000000100)=ANY=[@ANYBLOB="73656375726974790000000000000000000000000000010000000000000000000e00000004000000480300002801000000000000280100002801"], 0x1) clone(0x3102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() futex(&(0x7f0000000140)=0x2, 0x0, 0x2, 0x0, 0x0, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0xf) write$P9_RREAD(0xffffffffffffffff, &(0x7f0000000100)=ANY=[@ANYBLOB="591402d07701000000cd8fbc162c4d8524e04aba6397600900000056efc427482e7d3691c700cd3edfa7afe309000000000000000000000000"], 0x39) socketpair$unix(0x1, 0x0, 0x0, 0x0) ptrace$cont(0x18, r0, 0x0, 0x0) ptrace$setregs(0xd, r0, 0x0, &(0x7f00000000c0)) ptrace$cont(0x1f, r0, 0x0, 0x0) 00:58:17 executing program 5: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000200)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10}}, &(0x7f0000000240)='EP\xd4\x00\x1f\x91\xeb/W\xb72$C0%\x03\x9c0\x96\xb2\fkC\x93H\xbfh\x9c\b`\x857\xd6\">c\xad\xc0bO\xba\xe2\xe1\t5\x9d\xcei\"2L\xcc\x13\x16\vh\xca\xe6C\x06\x97%\x9d\xd5-\x1fs\xe1j\xdc5\x92\xd0)%\xdf\xfa\xe8^\x9c\xd29\x8clg\xc8\x7f\xb5\xb1&\x02\xf1E\xb4\x84\xbeE\x91)f\xe8\xb7\xe2\xf6`i\xc5m\xd7l\x1d\xc1\x12\x01<:kM\xe9\x99\xcd\xcd\xc8\x85Z\xee47\xdc\xc8u\x80\xcf\xbeTo\xbb\xfb\xc0\xebV\xd8\xbb\xbe\xa2\x90J|s\xc2', 0x1, 0x348, &(0x7f0000000480)=""/195}, 0x48) [ 347.834476] binder: release 13297:13298 transaction 688 out, still active [ 347.841648] binder: unexpected work type, 4, not freed [ 347.847149] binder: undelivered TRANSACTION_COMPLETE [ 347.889976] binder: undelivered TRANSACTION_ERROR: 29189 [ 347.895814] binder: undelivered TRANSACTION_ERROR: 29189 [ 347.901354] binder: send failed reply for transaction 688, target dead 00:58:18 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = syz_open_dev$adsp(&(0x7f0000000040)='/dev/adsp#\x00', 0xff, 0x200) r3 = gettid() getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffff9c, 0x0, 0x11, &(0x7f0000000700)={{{@in6=@ipv4={[], [], @dev}, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in=@dev}}, &(0x7f0000000580)=0xe8) r5 = getegid() sendmsg$unix(r2, &(0x7f0000000840)={&(0x7f0000000080)=@abs={0x0, 0x0, 0x4e22}, 0x6e, &(0x7f0000000680)=[{&(0x7f0000000380)="fa3f5f7dbe4324f2d27c1b0feec83df4b3d2dc3fa863a89a7fa47a6dad6836dbff52525d2417256a5d922d1bcdf970c31f277b2bcd51201f98423761566cb08b8acb9e35194a55df18c28584e9daace2ea44d5a66281d2052404ed81549d64ef08d9806c624c3c43c26b1a332f32f00426eb2b1be127abe64bd6393bf53b2cdcd86464d583dd6026ac8c784f24f71a9a96335ec60c34685ac4662684924f127fe1fe522f9417d37953f28330499a6b1d39068f661c0ca07f66c3f88667858c", 0xbf}, {&(0x7f0000000100)="9577d70ab39fde63276503727d945f7158b8642f0a11bf5b07c5fcc944e31d9afe5f862590a8b2d4d668eec2d9597970d5b48749bd87981460e7a9c6aaa4f329486e654c20111c4414b472f7500d5ce716385e9e7da5801e4620aea8775f86218ccc2799239aa17f343e5ea11c1463371ce876155aa1", 0x76}, {&(0x7f0000000280)="52e947257246059e4a1509ea725ba340fa7eabecea142cb28e36c31ffd50df79465c3133dd417ac40ad308f736c6f81844adaa19bc568200ab5959b02e9971c7d701a4dd8c41f2391cb6f7fbc8528ba136ebd61084b27b109585d13827dc45def98e7dbcd3ec29ad294688574ac5d4a6076e132953431e9c41f0", 0x7a}, {&(0x7f0000000440)="d13e651377d5fbf52f94718d2ff4d51e19a17d84e5d7fd72a93bb5de977a08a9a2a1d1c973b62bfac0faedbdd90ba5c9ca1d49dc52f37ec8f46bbcf6a7d4272b5d02f2505af5ee282621b364088df6c48edeccf724c7a4291780740091e3b9679b9ad703ac49ed662455e799edab4518ddceea848023b1e1de51ad24ad094fa563cd7de4dd0135e04cf8c349e629806917286cf2", 0x94}, {&(0x7f0000000500)="6742601b7f9f4a9e604c84ddbaadbb6be62973a970d25bb5f27a6cef670e9926e7af1eba6d6e7ba376db4065c5ace485190fa8df25c37ec30dc0c68d95d17267fcb3bd1e076ed716930b8aedf8a39c619b4f51b12adfdab050e962cac7d43b60a617c1cf10aa198d7c4fb255fba5d303322cc38bfe8d2d8adbffec7194", 0x7d}], 0x5, &(0x7f0000000800)=[@cred={0x20, 0x1, 0x2, r3, r4, r5}, @rights={0x20, 0x1, 0x1, [r1, r0, r0]}], 0x40, 0x20000000}, 0x20000000) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r6, 0x8912, 0x400200) r7 = syz_genetlink_get_family_id$ipvs(&(0x7f00000008c0)='IPVS\x00') sendmsg$IPVS_CMD_GET_CONFIG(r2, &(0x7f0000000980)={&(0x7f0000000880)={0x10, 0x0, 0x0, 0x2000}, 0xc, &(0x7f0000000940)={&(0x7f0000000900)={0x20, r7, 0x100, 0x70bd27, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0xc, 0x1, [@IPVS_SVC_ATTR_AF={0x8, 0x1, 0xa}]}]}, 0x20}, 0x1, 0x0, 0x0, 0x10}, 0x4000) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 348.011273] ptrace attach of "/root/syz-executor.1"[13312] was attempted by "/root/syz-executor.1"[13313] 00:58:18 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) r3 = openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$UI_BEGIN_FF_ERASE(r1, 0xc00c55ca, &(0x7f00000033c0)={0x1, 0x0, 0x867c}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r3, 0x28, 0x0, &(0x7f00000005c0)=0x1492000, 0x8) 00:58:18 executing program 1: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f00000000c0)) perf_event_open(&(0x7f0000000100)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$PERF_EVENT_IOC_SET_OUTPUT(r0, 0x2405, 0xffffffffffffffff) [ 348.113843] binder: 13316:13318 got transaction to context manager from process owning it [ 348.122524] binder: 13316:13318 transaction failed 29201/-22, size 0-0 line 2887 00:58:18 executing program 3: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f0000000300)={@empty, 0x0, 0x2}, 0x20) 00:58:18 executing program 5: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x10000000013, &(0x7f0000000280)=0x1, 0x4) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000080)='veth1\x00', 0xb) connect$inet(r0, &(0x7f00000000c0)={0x2, 0x0, @loopback}, 0x10) setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f0000000040)={0x0, 0x6, 0x7f}, 0x14) setsockopt$inet_tcp_int(r0, 0x6, 0x4000000000013, &(0x7f0000000140), 0x27b) sendto(r0, &(0x7f0000000300)="d0", 0x1, 0x0, 0x0, 0x0) write$binfmt_misc(r0, &(0x7f00000003c0)={'syz1'}, 0x4) sendto(r0, &(0x7f0000000100)="06", 0x1, 0x0, 0x0, 0x0) 00:58:18 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000000, 0x4010, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 348.376044] binder: send failed reply for transaction 697 to 13316:13318 [ 348.386226] binder: undelivered TRANSACTION_COMPLETE 00:58:18 executing program 4: r0 = getpid() sched_setattr(r0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x1, 0x0) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000580)='/dev/rtc0\x00', 0x20000, 0x0) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, 0x0) getgid() add_key$user(&(0x7f0000000600)='user\x00', &(0x7f0000000640)={'syz', 0x3}, &(0x7f00000007c0)="dca3c74b87c88ccd47653a443b23f6", 0xf, 0xfffffffffffffffc) ioctl$RTC_PIE_OFF(0xffffffffffffffff, 0x7006) r3 = request_key(&(0x7f0000000300)='encrypted\x00', &(0x7f0000000340)={'syz', 0x0}, &(0x7f0000000440)=':\x00', 0xfffffffffffffffc) keyctl$restrict_keyring(0x1d, r3, 0x0, &(0x7f00000004c0)='TRUE') stat(&(0x7f0000000a40)='./file0/../file0\x00', 0x0) add_key$user(&(0x7f00000006c0)='user\x00', &(0x7f0000000700)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) request_key(&(0x7f0000000140)='logon\x00', &(0x7f00000008c0)={'syz', 0x0}, 0x0, 0xfffffffffffffff8) linkat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x1400) fstat(0xffffffffffffffff, 0x0) setsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f0000000900)={{{@in6=@initdev={0xfe, 0x88, [], 0x0, 0x0}, @in6=@loopback, 0x4e23, 0x1, 0x4e24, 0x1000, 0xa, 0x80, 0xa0, 0x67}, {0x20, 0x8001, 0x3f, 0x7fff, 0x4, 0x2, 0x4, 0x61}, {0xbf73, 0x6, 0x401, 0x4}, 0x3, 0x6e6bb3, 0x3, 0x0, 0x3, 0x2}, {{@in6=@empty, 0x4d5, 0x6c}, 0x2, @in6=@mcast1, 0x3503, 0x2, 0x3, 0x2, 0x101, 0x78b2800000000}}, 0xe8) ioctl$DRM_IOCTL_SET_SAREA_CTX(0xffffffffffffffff, 0x4010641c, &(0x7f0000000b80)={0x0, &(0x7f0000000b00)=""/119}) setpgid(r0, r0) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x0, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x9, 0xbd49, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, r0, 0x0, 0xffffffffffffffff, 0x0) syz_genetlink_get_family_id$ipvs(&(0x7f0000000180)='IPVS\x00') setxattr$trusted_overlay_upper(&(0x7f0000000400)='./file0\x00', &(0x7f0000000480)='trusted.overlay.upper\x00', &(0x7f0000000500)={0x0, 0xfb, 0x4c, 0x6, 0x5, "fae6bc8cf1a5ca4bd5bbd3cdfa564485", "b5484f407fbc4e33194c715a92a38be87b7ef8659097a96061a752d6f651980e043b0c925bd4beb6ad57328dd4eec9ee787631db6244c9"}, 0x4c, 0x2) listen(r2, 0xd4) mkdir(&(0x7f0000000040)='./file0\x00', 0x40) dup2(0xffffffffffffffff, 0xffffffffffffffff) 00:58:18 executing program 1: clone(0x13102001fef, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x1b) ptrace$cont(0x18, r0, 0x0, 0x0) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f00000000c0)={[], 0x0, 0x0, 0x3, 0x0, 0x13d}) ptrace$setregs(0xd, r0, 0x0, &(0x7f0000000080)) ptrace$cont(0x18, r0, 0x0, 0x0) 00:58:18 executing program 3: openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc0\x00', 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000003c0)={0xffffffffffffffff}) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2000000000000002, 0x0, &(0x7f0000000000)) ioctl$ASHMEM_GET_PIN_STATUS(0xffffffffffffffff, 0x7709, 0x0) timerfd_create(0x0, 0x807ff) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0x7, &(0x7f00000000c0)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x2, 0x0) mmap(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x2000000, 0x110, r0, 0x0) bind$inet6(r1, &(0x7f00000000c0)={0xa, 0x4e20}, 0x1c) sendto$inet6(r1, 0x0, 0x0, 0x8000, &(0x7f0000000240)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) write$binfmt_elf64(r1, &(0x7f0000000280)=ANY=[@ANYBLOB="7f454c46000061779ba13d083152002f13cd01000000000000000000020000000d000000000000000000007312c7005e19b3901d547ac20000380000000000ff030000000000000000000000000000000000000000000000000000000000000000000000"], 0x64) recvmmsg(r1, &(0x7f0000008880), 0x45b, 0x44000102, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_KVMCLOCK_CTRL(0xffffffffffffffff, 0xaead) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) semctl$GETNCNT(0x0, 0x0, 0xe, 0x0) fcntl$setpipe(0xffffffffffffffff, 0x407, 0x0) accept4(r2, &(0x7f0000000100)=@pptp, &(0x7f0000000180)=0x80, 0x80000) [ 348.534501] binder_alloc: 13338: binder_alloc_buf, no vma [ 348.577740] binder: 13338:13339 got transaction to context manager from process owning it 00:58:18 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) r3 = openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$UI_BEGIN_FF_ERASE(r1, 0xc00c55ca, &(0x7f00000033c0)={0x1, 0x0, 0x867c}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r3, 0x28, 0x0, &(0x7f00000005c0)=0x1492000, 0x8) [ 348.701407] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. 00:58:18 executing program 5: r0 = socket$inet6(0xa, 0x2, 0x0) setsockopt$inet6_int(r0, 0x29, 0x4b, &(0x7f00000000c0)=0x800000000007ffd, 0x346) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @ipv4={[], [], @local}}, 0x1c) 00:58:18 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) r3 = dup2(r1, r1) epoll_ctl$EPOLL_CTL_MOD(r3, 0x3, r2, &(0x7f0000000040)={0x8}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x2400, 0x93) [ 348.756054] ptrace attach of "/root/syz-executor.1"[13352] was attempted by "/root/syz-executor.1"[13353] 00:58:18 executing program 1: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x200000000000013, &(0x7f0000000280)=0x400100000001, 0x4) connect$inet6(r0, &(0x7f0000000080), 0x1c) r1 = dup2(r0, r0) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r1, 0x6, 0x16, &(0x7f0000000440), 0x131f64) clone(0x20002102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r2 = gettid() setsockopt$inet6_group_source_req(r1, 0x29, 0x2d, &(0x7f00000000c0)={0x0, {{0xa, 0x0, 0x0, @mcast1}}, {{0xa, 0x0, 0x0, @initdev}}}, 0x108) ptrace$setopts(0x4206, r2, 0x0, 0x0) tkill(r2, 0x3c) fcntl$setstatus(r1, 0x4, 0x42803) 00:58:19 executing program 4: r0 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x1, 0x0) readv(r0, &(0x7f0000000480)=[{&(0x7f0000000000)=""/43, 0x2b}], 0x1) ioctl$int_in(r0, 0x800000c0045002, &(0x7f00000001c0)) read$eventfd(r0, &(0x7f0000000180), 0x8) [ 348.940103] binder: 13360:13362 got transaction to context manager from process owning it [ 348.996132] binder: 13360:13362 ioctl 2400 93 returned -22 00:58:19 executing program 5: socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240)='/dev/net/tun\x00', 0x0, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000080)={'eql\x00\x00\x00\x05\x00\x00\x10\x00', 0x801}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$TUNSETLINK(r1, 0x400454cd, 0x1000030a) ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000000c0)={'eql\x00\x00\x00\xa9[\x00', @ifru_mtu=0x1}) 00:58:19 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x4, 0x810, r2, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x4, 0x1810, r0, 0x0) [ 349.188924] binder: send failed reply for transaction 707 to 13360:13362 [ 349.212995] binder: undelivered TRANSACTION_COMPLETE 00:58:19 executing program 1: perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000080)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clone(0x2102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() clone(0x3000000a0160100, 0x0, 0x0, 0x0, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x11) wait4(0x0, 0x0, 0x0, 0x0) 00:58:19 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$UI_BEGIN_FF_ERASE(r1, 0xc00c55ca, &(0x7f00000033c0)={0x1, 0x0, 0x867c}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:19 executing program 3: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f3188b070") r1 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000000c0)={0x24, 0x32, 0x119, 0x0, 0x0, {0x2}, [@generic="ffd38d9b", @nested={0xc, 0x1, [@typed={0x8, 0x10, @ipv4=@multicast1=0x4000f06}]}]}, 0x24}}, 0x0) [ 349.442477] binder: 13381:13392 got transaction to context manager from process owning it 00:58:19 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f00000003c0)='/\x02roup.stap\x00', 0x2761, 0x0) ioctl$PERF_EVENT_IOC_PAUSE_OUTPUT(r0, 0x40286608, 0x20000001) [ 349.591954] openvswitch: netlink: Tunnel attr 1551 out of range max 15 00:58:19 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$UI_BEGIN_FF_ERASE(r1, 0xc00c55ca, &(0x7f00000033c0)={0x1, 0x0, 0x867c}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:19 executing program 1: socketpair$unix(0x1, 0x4000000000002, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r1, &(0x7f0000000100), 0x43e, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x3fffffffffffee1, 0x0, 0x0) 00:58:20 executing program 4: r0 = socket$unix(0x1, 0x5, 0x0) ioctl$FS_IOC_MEASURE_VERITY(0xffffffffffffffff, 0xc0046686, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x0, 0x0, 0x0) 00:58:20 executing program 4: socket$unix(0x1, 0x1, 0x0) write$P9_RLINK(0xffffffffffffffff, 0x0, 0x1008b) r0 = socket$unix(0x1, 0x801, 0x0) bind$unix(r0, &(0x7f0000003000)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0xc) getgid() listen(r0, 0x0) ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305828, 0x0) accept$inet6(r0, 0x0, 0x0) [ 350.121902] binder_alloc: binder_alloc_mmap_handler: 13381 20001000-20004000 already mapped failed -16 [ 350.157975] binder: BINDER_SET_CONTEXT_MGR already set [ 350.158740] openvswitch: netlink: Tunnel attr 1551 out of range max 15 [ 350.163537] binder: 13381:13392 ioctl 40046207 0 returned -16 [ 350.172948] binder_alloc: 13381: binder_alloc_buf, no vma 00:58:20 executing program 5: socketpair$unix(0x1, 0x80005, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = memfd_create(&(0x7f00000001c0)='\x00\x00\x06\x00j\x94d\x89\xe2\xba\xedY\xcaE\xdc\x131\x83\x9ep\xa0AG\x8e\'q\x10\x1e\\\xa9?\xec\xbb\xd4\xf0\x9a\xbb\x84;\xbc\x1c\x1e\x19i\x11[\xc0\xca\xb0.6/3\xf43r\xbd\xff\xb8\xa6\xf7\xc0\xf8\t]\x16\xc6\xed=[\x99\n\xce\xf0;%c\x92?\x1f\xd8\xf9\xd8\xe9\x19[NfM\x82\xce\xe9\xb7\xf0fwS\x92\r\xc2\x87\x97\xb69\x0eO\x16\xb5\xb0;W\xc0c\x0e\x06~>F\xc2,\x97 \xabW\xc6\x9d\xb2\x9a\x9c;(*\x1f\xd2\xd7\x06\xe7\xb5\xebd\x85\x16\xa6\x9eP\x95\xf8\xfbl|/\xbc\xfa\"\x82.\x14\xbb\xa7\x9e\x06\x94\x922\x92U\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00', 0x1) clone(0x2102001ff8, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execveat(r1, &(0x7f0000000100)='\x00', 0x0, 0x0, 0x1000) 00:58:20 executing program 3: r0 = socket(0xa, 0x1, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'veth1_to_team\x00', 0x0}) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) sendmsg$nl_route_sched(r1, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000b80)=@deltclass={0x24, 0x29, 0x201, 0x0, 0x0, {0x0, r2}}, 0x24}}, 0x0) 00:58:20 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) bind$alg(r1, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-camellia-aesni-avx2\x00'}, 0x58) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:20 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:20 executing program 4: r0 = socket$can_raw(0x1d, 0x3, 0x1) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") sendmsg$unix(0xffffffffffffffff, &(0x7f0000000b80)={0x0, 0x0, &(0x7f00000002c0)=[{&(0x7f00000000c0)="60811fe203fdecb333f8d180030b37c5", 0x10}], 0x1}, 0x0) bind$can_raw(r0, &(0x7f0000000140), 0x10) setsockopt(r0, 0x65, 0x1, &(0x7f0000000080), 0x1d0) [ 350.604973] binder: 13433:13434 got transaction to context manager from process owning it 00:58:20 executing program 5: preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000001200)=""/148, 0x2e5}], 0x100000c7, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000280)='net/mcfilter\x00') preadv(r0, &(0x7f0000000480), 0x10000000000002a1, 0x10400003) 00:58:20 executing program 3: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0xc0045401, &(0x7f0000a07fff)) 00:58:20 executing program 4: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) read(r0, &(0x7f00000001c0)=""/11, 0x5e) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000200)) r1 = creat(&(0x7f0000000580)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x109) r2 = dup2(r0, r1) clone(0x3102001ff6, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000140)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) ioctl$PIO_FONTRESET(r2, 0x4b6d, 0x0) 00:58:21 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="020d000000000000"], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) r3 = openat$zero(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/zero\x00', 0x90540, 0x0) ioctl$NBD_SET_SIZE(r3, 0xab02, 0x4) write$binfmt_elf64(r2, &(0x7f0000000380)={{0x7f, 0x45, 0x4c, 0x46, 0x5, 0x9, 0x8, 0x7, 0x4f, 0x2, 0x3f, 0x10001, 0x1ef, 0x40, 0x1, 0x2, 0x8000, 0x38, 0x2, 0xe4, 0x4, 0x8}, [{0x5, 0xa32, 0x4, 0x0, 0x9, 0xfffffffffffffff8, 0x6, 0x2}, {0x1, 0x80000000, 0x7, 0xb3b3, 0x81, 0x4, 0x9, 0x80}], "", [[]]}, 0x1b0) r4 = syz_open_dev$loop(&(0x7f0000000040)='/dev/loop#\x00', 0x101, 0x0) ioctl$BLKGETSIZE(r4, 0x1260, &(0x7f0000000080)) socket$packet(0x11, 0x2, 0x300) [ 350.925537] binder: send failed reply for transaction 718 to 13433:13434 [ 350.939609] binder: undelivered TRANSACTION_COMPLETE 00:58:21 executing program 1: r0 = socket$inet_udp(0x2, 0x2, 0x0) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f00000000c0)={0x0, 0x0}, &(0x7f0000000040)=0xc) keyctl$get_persistent(0x3, r1, 0x0) 00:58:21 executing program 4: perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xee67, 0x1, 0x0, 0x800, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) getsockopt(r0, 0xff, 0x7, 0x0, &(0x7f0000002000)) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140)='/dev/ptmx\x00', 0x181000, 0x0) [ 351.113113] binder: 13468:13470 got transaction to context manager from process owning it 00:58:21 executing program 5: clone(0x200, 0x0, 0x0, 0x0, 0x0) mknod(&(0x7f0000f80000)='./file0\x00', 0x1040, 0x0) execve(&(0x7f00000004c0)='./file0\x00', 0x0, 0x0) creat(&(0x7f0000000240)='./file1\x00', 0xc0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptmx\x00', 0x0, 0x0) read(r0, &(0x7f0000000480)=""/11, 0xb) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000200)) r1 = creat(&(0x7f0000000080)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x109) dup2(r0, r1) execve(&(0x7f00000000c0)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) open$dir(&(0x7f0000000000)='./file0\x00', 0x841, 0x0) clone(0x3102001ff6, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000040)='./file1\x00', 0x0, 0x0) ioctl$TCFLSH(r1, 0x540b, 0x0) 00:58:21 executing program 3: getpid() perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$kcm(0x10, 0x2, 0x4) sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000140)=[{&(0x7f0000000180)="39000000140081ae00002c000500018708546fabca1b4e7d06a6580e883795c0c54c1960b89c40ebb37358582bdbb7d553b4a421556b3d5df5", 0x39}], 0x1}, 0x0) 00:58:21 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:21 executing program 1: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070") r1 = socket$netlink(0x10, 0x3, 0x0) setsockopt$netlink_NETLINK_ADD_MEMBERSHIP(r1, 0x10e, 0x1, 0x0, 0x0) 00:58:21 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r1 = mmap$binder(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x1000000, 0x13, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000480)={r1}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_netdev_private(r2, 0x89f1, &(0x7f0000000380)="3c0433bced2134e897eaff824abd766a88ead5f1d4764555cb5d069370643a44d497765d744c3c12e8eeb95414444fd5cf9c515f05071cb814d23da935ce135203a5c09ef123a3e1d4ac9b3da5e6c23955ab06cc62204e2f05104176b5e817c872d58b440303aab7cc621f08e477a40ae4e2bb5d12b87aaf7c11983e250be4f3d3a68867097a292c957719aa940d568e47c7e87c33153500a412581153f97a9c857fbb5f60c5cb1b8608f51c3fad5d1c40d94330f2a21dffed4338918370cd4f1ea39e44bab5bbf63e3e03228fd0bfda5c14ff5894dcf4faca2f2dd56a22ddfe5909809aa38fc9b06643a8a703ae14822d6f63321623f63c40") ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) setsockopt$SO_ATTACH_FILTER(r2, 0x1, 0x1a, &(0x7f00000000c0)={0x9, &(0x7f0000000040)=[{0x8, 0x10001, 0x200, 0x80000000}, {0x3, 0x8000, 0xffffffff, 0x9}, {0x7, 0x2008000000000000, 0x0, 0x2}, {0xffff, 0x32c, 0x100000001}, {0x6, 0x5, 0x10001, 0x2}, {0x1, 0xfff, 0x7, 0x2}, {0x1, 0x10001, 0x7ff, 0x5}, {0x8, 0xffff, 0xbdbd, 0x7}, {0x7, 0x9, 0x9, 0x2}]}, 0x10) [ 351.438972] binder: send failed reply for transaction 724 to 13468:13470 [ 351.453720] binder: undelivered TRANSACTION_COMPLETE 00:58:21 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x80000000007, 0x0) dup3(r0, r1, 0x0) 00:58:21 executing program 1: r0 = socket$kcm(0x10, 0x800000000002, 0x0) sendmsg$kcm(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)=[{&(0x7f00000000c0)="2e000000120081aee4050cecff0e00fa0a8b5bdb4cb904e473730e55cff26d1b0e001d80fffffff05e510befccd7", 0x2e}], 0x1}, 0x0) 00:58:21 executing program 4: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f00000000c0)='./cgroup.cpu\x00', 0x200002, 0x0) r1 = openat$cgroup_int(r0, &(0x7f00000001c0)='hugetlb.2MB.limit_in_bytes\x00', 0x2, 0x0) write$cgroup_subtree(r1, &(0x7f0000000080)=ANY=[@ANYBLOB='1M'], 0x2) 00:58:21 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) syz_genetlink_get_family_id$ipvs(0x0) 00:58:21 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="0563044000000000006340400000000020000000000000000000000000000000000000000000000000000c000000000000000000000000000000000000000000000000000000000000000000f9109eeee387ade2300b6c0bd7dba6f3571e5783adc6"], 0x0, 0x0, 0x0}) [ 351.870629] netlink: 'syz-executor.1': attribute type 29 has an invalid length. 00:58:22 executing program 1: r0 = socket$inet6(0xa, 0x3, 0x8100000005) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast1, 0x5}, 0x1c) setsockopt$inet6_opts(r0, 0x29, 0x3b, &(0x7f0000000140)=@srh, 0x8) sendmmsg(r0, &(0x7f00000092c0), 0x4ff, 0x0) setsockopt$inet6_opts(r0, 0x29, 0x37, 0x0, 0x0) pipe2(0x0, 0x0) 00:58:22 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510b, &(0x7f0000a07fff)) [ 352.179802] binder: 13526:13528 got transaction to context manager from process owning it [ 352.188416] binder_transaction: 7 callbacks suppressed [ 352.188462] binder: 13526:13528 transaction failed 29201/-22, size 0-0 line 2887 00:58:22 executing program 5: clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) pipe(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) flock(r1, 0x1) flock(r0, 0x2) exit_group(0x0) flock(r1, 0xfffffffffffffffd) 00:58:22 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:22 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) write$P9_RLERRORu(r0, &(0x7f0000000040)={0x1a, 0x7, 0x1, {{0xd, '/dev/binder#\x00'}, 0x9}}, 0x1a) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 352.374618] binder_release_work: 13 callbacks suppressed [ 352.374633] binder: undelivered TRANSACTION_ERROR: 29201 [ 352.385977] binder: send failed reply for transaction 730 to 13526:13528 00:58:22 executing program 4: r0 = getpid() sched_setattr(r0, &(0x7f00000002c0)={0x0, 0x2, 0x0, 0x0, 0x3}, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x1, 0x0) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000580)='/dev/rtc0\x00', 0x20000, 0x0) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, 0x0) getgid() add_key$user(&(0x7f0000000600)='user\x00', &(0x7f0000000640)={'syz', 0x3}, &(0x7f00000007c0)="dca3c74b87c88ccd47653a443b23f60d3dca0fbfc05354f40c0b13017f5a", 0x1e, 0xfffffffffffffffc) ioctl$RTC_PIE_OFF(0xffffffffffffffff, 0x7006) r3 = request_key(&(0x7f0000000300)='encrypted\x00', &(0x7f0000000340)={'syz', 0x0}, &(0x7f0000000440)=':\x00', 0xfffffffffffffffc) keyctl$restrict_keyring(0x1d, r3, 0x0, &(0x7f00000004c0)='TRUE') stat(&(0x7f0000000a40)='./file0/../file0\x00', 0x0) add_key$user(&(0x7f00000006c0)='user\x00', 0x0, 0x0, 0x0, 0xfffffffffffffffb) request_key(&(0x7f0000000140)='logon\x00', &(0x7f00000008c0)={'syz'}, 0x0, 0xfffffffffffffff8) linkat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x1400) fstat(r2, &(0x7f0000000740)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f0000000900)={{{@in6=@initdev={0xfe, 0x88, [], 0x0, 0x0}, @in6=@loopback, 0x4e23, 0x1, 0x4e24, 0x1000, 0xa, 0x0, 0xa0, 0x67, 0x0, r4}, {0x20, 0x8001, 0x3f, 0x7fff, 0x4, 0x2, 0x4, 0x61}, {0xbf73, 0x6, 0x401, 0x4}, 0x3, 0x6e6bb3, 0x3, 0x0, 0x3, 0x2}, {{@in6=@empty, 0x4d5, 0x6c}, 0x2, @in6=@mcast1, 0x3503, 0x2, 0x3, 0x2, 0x101, 0x78b2800000000, 0x40}}, 0xe8) ioctl$DRM_IOCTL_SET_SAREA_CTX(0xffffffffffffffff, 0x4010641c, &(0x7f0000000b80)={0x0, &(0x7f0000000b00)=""/119}) setpgid(r0, r0) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x40, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x9, 0xbd49, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, r0, 0x0, 0xffffffffffffffff, 0x0) syz_genetlink_get_family_id$ipvs(&(0x7f0000000180)='IPVS\x00') setxattr$trusted_overlay_upper(&(0x7f0000000400)='./file0\x00', &(0x7f0000000480)='trusted.overlay.upper\x00', &(0x7f0000000500)={0x0, 0xfb, 0x4f, 0x6, 0x5, "fae6bc8cf1a5ca4bd5bbd3cdfa564485", "b5484f407fbc4e33194c715a92a38be87b7ef8659097a96061a752d6f651980e043b0c925bd4beb6ad57328dd4eec9ee787631db6244c9b70270"}, 0x4f, 0x2) listen(r2, 0xd4) mkdir(&(0x7f0000000040)='./file0\x00', 0x40) dup2(0xffffffffffffffff, 0xffffffffffffffff) [ 352.456432] binder: undelivered TRANSACTION_COMPLETE [ 352.461661] binder: undelivered TRANSACTION_ERROR: 29189 00:58:22 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) syz_genetlink_get_family_id$ipvs(0x0) [ 352.531103] binder: 13544:13547 got transaction to context manager from process owning it [ 352.539785] binder: 13544:13547 transaction failed 29201/-22, size 0-0 line 2887 00:58:22 executing program 5: r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) signalfd(0xffffffffffffffff, &(0x7f00007aeff8), 0x8) r1 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000080)='./cgroup.cpu\x00', 0x200002, 0x0) fchdir(r1) r2 = creat(&(0x7f0000000180)='./bus\x00', 0x0) fcntl$setstatus(r2, 0x4, 0x40006100) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400204) ioctl$int_in(r1, 0x5421, &(0x7f0000000140)) ftruncate(r2, 0x208200) r4 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x800002, 0x11, r4, 0x0) getsockopt$packet_buf(r1, 0x107, 0x17, &(0x7f0000000400)=""/175, &(0x7f00000004c0)=0xaf) futex(0x0, 0x0, 0x0, &(0x7f0000003ff0), 0x0, 0x0) getsockopt$sock_linger(0xffffffffffffffff, 0x1, 0xd, 0x0, &(0x7f00000076c0)) r5 = open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) setsockopt$IP_VS_SO_SET_EDITDEST(r3, 0x0, 0x489, &(0x7f00000001c0)={{0x11, @local, 0x4e21, 0x0, 'lblcr\x00', 0x18, 0x800, 0x57}, {@multicast1, 0x4e23, 0x2001, 0x0, 0x4, 0x5}}, 0x44) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)) ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0x0) ioctl$KDSKBSENT(r1, 0x4b49, &(0x7f0000000500)="1a5ccea55d86975089a960e3871af2986e60a1f748c37b639b6f9a2f08c3879e6fe811d06a035f86d4cd2c4fa33f7434e7ce34666d176d52050b1156081f6bbd03b8f66fc95b0293641ac66f977951a54caba8a95a96d41dcffe95819528b35ec4fa8a297ea3f9d826d9a4a652d16ca5aaa614859bca44d6addb4bd4bf54349f5875d28320ab6abf9d4790975c30ed49832daebf463b2c53fb2b7419fd404b65ddb4afb3f21031575e3f10c5007a44a6e1b3af4063f43daab2950f4c46f14412a331cca3f16949c557e8a189e13b51378b51ab222a3c8570a9e8c14f8bb0069a00278c15") unshare(0x20020000) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) mkdir(&(0x7f00000002c0)='./file1\x00', 0x0) mount(0x0, &(0x7f00000000c0)='./file0/../file0\x00', &(0x7f0000000040)='minix\x00', 0x0, 0x0) mount(0x0, &(0x7f0000026ff8)='./file0\x00', &(0x7f00000002c0)='ramfs\x00\xd9q\xab\xafP\xe5,h:\xc7\x926\'\xa5tL\xd7\xd1\xb9k\x8dF\x18\xe2N6\x04\x9bXD\xa7_\xe6\xf6\xd4 \v\x96\xb0t\x9f\xdd\x17\xfc\r\x8cQf?i\xb7\x89\x99\xdf\xf0\n\xd5\xd5\xf2\xa5\x94\x05y\xd3\x18\x9b\xfa\x01\xa1\xfe5|\xac\xc0Jw\xd5\xeb\xfe2\xe5\xb2uG\xa1\xe8\xd9\x06\x9fS\x81Ii\xfcE\x1b\x92#\xe7G\xc9\xd9r\xa8\xc2\xfb\x93\xbb#\xf6\xa8\xa42a\xfa3\xfc\xbf\xbePq\xcfH\x00+%\xfa\xbc\x80;\xd3\xe5,\xc1\n\x1b\xce\x00\xc7\xe3\xbfC\x0f\xb3B+\x8a2\x19\xed\xd9\x13\xfc\xe8\x9dV\xb7\xf1\xdf\'\xa4lc\xaa\xcdi\xc9\xa1\x18G1\xca\x15.R\x87\t\xdf\xe5\xf7\xcd\xd5\xf5\xa8xL\x82\x89l\xc9\xa0g\a4\x88\xf4\xfd\x1d>\xc0\xc3\xaf\xf2h_\xcf\xd3\xe2+\xd6#\x11\xfb\'yr{\xf1\x0f\xa2EU', 0x0, 0x0) poll(0x0, 0x0, 0x400007f) rename(&(0x7f0000000300)='./file1\x00', &(0x7f0000000340)='./file0\x00') sendfile(r2, r5, 0x0, 0x8000fffffffe) clock_gettime(0x0, &(0x7f0000000240)) 00:58:22 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="0563044000000000006340402f260000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], 0x0, 0x0, 0x0}) 00:58:22 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 352.788530] binder: undelivered TRANSACTION_ERROR: 29201 [ 352.794332] binder: send failed reply for transaction 736 to 13544:13547 [ 352.803107] binder: undelivered TRANSACTION_COMPLETE [ 352.808300] binder: undelivered TRANSACTION_ERROR: 29189 [ 353.068159] binder: 13572:13575 transaction failed 29189/-22, size 24-8 line 2896 [ 353.104005] binder: 13572:13575 Acquire 1 refcount change on invalid ref 0 ret -22 [ 353.111805] binder: 13572:13575 got transaction to invalid handle [ 353.118316] binder: 13572:13575 transaction failed 29201/-22, size 0-0 line 2896 00:58:23 executing program 4: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000300)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140)='/dev/ptmx\x00', 0x0, 0x0) poll(&(0x7f0000000100)=[{r1}], 0x1, 0xfffffffffffffffd) ioctl$TCSETS(r1, 0x40045431, &(0x7f00000000c0)) r2 = syz_open_pts(r1, 0x2) dup3(r2, r1, 0x0) write(r1, &(0x7f00000001c0)="ca07ab8bd73958f9d9b73b93d858f33490ff2c63ad69f26355b52179c07a18f5ceb0c275be377bd83f71b81d571fd64211e279aff1098d0d715268dead3330542c878c56d87b24f351fd82d36180029b986b5ba2f5227439794a180a6205f2", 0x5f) 00:58:23 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$TIOCGPGRP(r2, 0x540f, &(0x7f0000000280)=0x0) fstat(r3, &(0x7f0000000480)={0x0, 0x0, 0x0, 0x0, 0x0}) r6 = getgid() fcntl$getownex(r2, 0x10, &(0x7f00000002c0)={0x0, 0x0}) r8 = getuid() getresgid(&(0x7f0000000500), &(0x7f0000000540)=0x0, &(0x7f0000000580)) r10 = gettid() r11 = geteuid() getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000001680)={0x0, 0x0, 0x0}, &(0x7f00000016c0)=0xc) ioctl$sock_FIOGETOWN(r2, 0x8903, &(0x7f0000001700)=0x0) r14 = geteuid() lstat(&(0x7f0000001740)='./file0\x00', &(0x7f0000001780)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) sendmmsg$unix(r2, &(0x7f0000001900)=[{&(0x7f0000000040)=@file={0x1, './file0\x00'}, 0x6e, &(0x7f0000000140)=[{&(0x7f00000000c0)="15eb44733e3773ca098bb508a1a468dd4c08c69d96c5b72fb9ed01da76d3e4a11d7772372acc0b89f56990bea348d5e3eb3e818a143037237645d0", 0x3b}, {&(0x7f0000000380)="6dc19f2e47e577dfecdc4a2a8642799c111946ffb3625d63c882837e118a849c4825981edd6c1cf36b03c35dd9a43ce069f1be4d5517f5f7b79e1a1a788fa11fdd4c707b78b227550d7b63c0daa2e1def0d1b0c5bad40cb208e55eb65ddfe0b8f26cd7262988337c6af04b41a4a8c2b61037996f6addc3b215ecf88d3fbf7391f3da6814f9184f71eb303c513631ea67238ba1b576d79b43106d2dcb08fb65a2d3372f845ac8526b737ffaaf816869b8e01fd907b93487662b3ef36a5ce580eb571ba46735f3a32d27612aeb2fb6d74f0047f1fe020ce514c2b7ce0c356cd404c371c1c3add182788015427168b056876c23c7285c650ad0557293", 0xfb}, {&(0x7f0000000680)="541b627f77f9950fd1dc18b4578c7bd0eb32537f1499a9e36bf69b4b3c0ff5a2c982912e58f35dd0a336a6f875269c1077c8d5daa908eb2c8ac091afbe7818cfe27ae48b808f0d2f730af71032f70f725ad04cb3b79259760b30d6a71ef28a8b09258797d45eda3c027b163afc82ac9a1fea203b4494d55d0cb2e5fdda3ca0e6744b9bf32fb936fbdc32dd59209798e41abdbe954f0640904c8e1ce011da8857d0f0e3e7373bae8b4a13c3b2a24118d76081f5a9d760b484fab7ec6500a790d14463c97e0dbc8f6717b771974acb4503d8d809ae9e522ebc09e2940252060a39d3cf81528383c5afa6f5cd4183b789e986b71f047cb4467cf4a26c277af2c64e53cc2ba5c9a9ad1dcfabd39b2b971bd278321ae3f23147163067a4e394de5eba90bc6d696a590ce81bdec1a4d6f2179746325fde361e91f3965a665fe6760112e45c69f3511b3f15f8964a87194e37bc18b75ed0ca01192260aa2d6d55023e306dc892ece1ff78d056f80d20d1a53503281b3ecd9788c1389fcafe9ab90e0d31366810b8592100f25078b6a85bb3e0ddc6dd3c5a4184d02cf394d0f77498263903f80a2f10c7b967e5590a80a1ec7d6a36c0c194adf110ba3e52f921690020f98f53eecccf01e8e80165a837a7a5505287549b63ee779952192da46a25898ab994cbb272c3976a7d2ef512d1548837f5a1f75a2207fa5b60f2b763fb0c8bb3ef8c59ee4f88d77d99e7682166d7fc5a300633eb04ad83de3483fbeac706887c9bbdd04dbe4b2724eb4357c9cfcec395360a91035f686d66f1fcde968fb10c5eec9b0aa321a2e3f0136c176fa8d14e26579a5080301bad804ae64e08ddf7ac0b8bd77a37d6c95f11ebff795f85fad1d32962c147a6858be3e3c7f1434a30c747fe85ba4996c1f559646f46c273c0551e84f90c42b9c1454d8bb2e22874217483c358ab69bde94fb44336eaa403ef830a810a50abc2c26a3ec498bc0029722c78868fbd5896f2872d1236548df5a4159a40e3b08e3260a55ef59ae6638274488bc49e2248ca1c25737684f686c401be6ea577536102790428b70c4bd624abdde007e584de915eb686a574b56a063d256313708102c6af3d5c7851d3cd220e67cd9e94d0b2f9c13ceaf5ecf59334924c8b5573c77feb117ae42ecdd85a1bd5d9fd69058be387e22d1c0ce7c91f19473af5e4a3ba0e20d5e85fe4b5d93fea9a989c7924c6f649d9c8ca50f5b9ea3474127e83bef25e290710754153a45df363588b64e6d02ab2009173fec288961a3c475e8d31e5987fb552e9efbfd5a6a8e9c16802e163ff93d4005b4621fc6941c359309b7bb67b33be027215ee6458f9052db378499c3d8dc13b3a94bda5ddd2cea82fa0a1ce8bef1eb4c0cddc34ee4703b147d1a8f468e8546197af6d508fbe36552552a2db7c894fed51670a55eefa5d28f7719d818372ca326c0e1017cb7710284816c8a6198b826e70c4f86ed7d3065e1ef3665e4dd2c797255dddf90b75c75eba55f32f33a1715b8f04229160b8bd1d052021263a42837cf81223e0aaafa40cce9e6060adeb823e8e0fc44ac52ca5fa29823e920997f75382464cd74016e7f5c9a3ad10caa3cdb7fd4e4cdf80f0bdf1ae3c540bb1aa502bfcb9981c732cb7f98f96f5ea2f932066836fdc581747269a34f998d4063b63a56555062f7e77f70f19035361941b40554a41952ada60eecee50816b28c4492cfee718e4de952cbd957163a9143c218a41f018500ef0d9915a7b55beb644ce477192f139fa8af9c223641ddebad292da2ec4a9196c4b032b9187dfe0b9865d903308852ae58de7e68a902c2494345dc08f704ca10413ea388afd8d4213d0c13b081a61985637ce9a09e02a3f591ae77268cbf44417b7fbd532358773bfa50c6e5d114fba85662762bc27c748229b446ab33055efa04568d8414b4233ff10ca108e303c52e510251080e99034058b9d453cbd41a1afa4e7db5935d735f098ce0b7adea44df13123c49462204d3f6c224355ac992f3384905b5629521d97112c13c736a39fc725e811c7fd8b4a6f4dc23c3891b2e451a181093893dc949ab6ee40ba640fb7f5f4e726d52a3fa75db935508104115ec414dab563e3ee6644443548ba2e18a1c1a2b55f7a3d89bf46b1a9fcd67d805b9489170052517a5dc7f812a88e90d46fad8880963559333793e57684b181fedaaa85e0b32e0f39effd60480179cb4aaa7e30fe6d32951a660105bc0d37e5edb08cc672d307147f60cdde50f0fd5fa0fd3ffb1d4e2a6c533f3c4493d184cdc69eaa3b38a6e9d60fdf7f4f3e7b3b9431c2972147fd59bdd5b3cca747a11cddb719d01576070fc75f851132050f9b0a8cd258fc2ad370a878da7017be76fbccf7ba498d12f416967483e167a3f1c487daa3ca3dd55d453c3f5cfc4f3504f4c37b5fe291859aa9ebd6bbe3dec2fa60ad5f36e5b010dd936364e94ed7826e159f2207b6f1c4021aaa6aeac1f2cbf51c2a95e8918f9463aed332816f864a9d7fb7f3aa16340c689f13baca12fcebf05236d0883313fa18a08787939f8bfd775ca7e37205ac656ef6c6b46c0bdd12656bca76dd6fd733863481a84e1c2efa99f1922b59ab47c258d89843c0badf5d3da0391fe83b7698964724e33a3360b88fb596791d484326bed60a4d0cc599d4d6ea19e8bc2c8211b347060a9413cd0fbdeb784545d68159d2ead6ffe9848dd25fcb8e661d519eaf7ff72a06a89ff8b47ddb8f5e949a54d16d19082c287f7c760b983b778d1060ffdf2bdddea71f35d257222a678ae9330616a897602e7db65fc3453116506007a216744a1fec377113ffa7a24efeebdd9b7a136aa965720cd2fd3cc9ed2348eac658643ae7aa56e4461191b549d97d21daea9d00e0c9a28b9a11c42347cad00e55d4662a5e2a17e5392482052b3229b41d22ac8d1c224a8dccb7eb6c5fd976fcd34a89267e1215413d93798d293af24a8ca76a12f7fc924177a4b81a33ed0c50973c9652578a7254cc33ab2084b4615286eae7c172bb22561937109a061695c8e96c081941e0f23c1e9668e8e493320d453fc270f5f8046bde89893622b386d4fe9c68054cf0ff309b1a35b94ef2e3c471b694769ac476f0f9a1dd8c8c9e9fb7930bc96c47687d135e0ac95eda11b84917d9b53bbd5de65da10dfb63ed0eac31205fc47e4b3cc5c5677c910c5ae675d61eb1ddc3df212e4c80bf0a3484a7fb06b11c229c35197d2083deca347426a05beedcfee8ced901fad61aa97c591407428f2016cc6ded18d7908ed54f732a5c55990fb04cd641f8dadf99c1e14c10f24a91a09611665af9ccebe2571d6416db3b0efde4f4013004e13659be1f75caba96be3b7a9c945772dceee75cbbc45a2118c93640512c6a776e551e6a8bb8b7d85b6b37727f5502372fdd65def41c1bc2fb37d022cc754dce04a18a60efb6546a758379c16acf0226fef5d01ba49fcdfb493dc734bbc607c04c7e3b5355918a697c6ab8db87a0de352f70bf384699d4d1c666790616791cf251ea4814b20af6a3da0c5eefbfcfd12af60b9c8630b9c38ff6041b36c467dfbaa82532fb0729ac85155615ebd46c6f29d2ba6c4e58d91efccc63da244eb4b495f32c2c1a31c18497903b1abadd8fee0ed452083500f742470d6937b786eadba368aad5cfebafd3320e6c0d59c0391db31cda874c10e027fe8db4b51b3f86e867ccca28ac3430acf191936328dc9e68144b02c80f07e8f2fc95714b4c6b6636e30ceeb31aa486945886ed2f50ae7b445fa082e72395bdd27bf58e17b49e919f9ff3d7b8c22edd8308a635b10690de9a8efba81b178a1ab89ef72ced8cc96751539ea3bdfa4f819c2e9285c4298c36486c9c80196bd819f2dcf067527a4e32c3344e6681493e6d2fadcb227e9247f76b4910e85320f9454d03e919cedfd5b7d43cf97f94c2a8f430987e927c1083c5571055c26aec49fa0d60f6cbfa8c76a8e360138497f8cae778c69fc83d466ba731c7f3fdf58ae45379ddaf79e046682b763bafd25d6c221f9373776d3da602b3b0a11ad53be21ad215b940b049d128f1575a43dbd4bbc0c8db3eaf99d7415058f408fb9b845d106ae0f8e07e925bf7a59052fa65ac44682bf0457bc59817aa588f1e739bb3f28dcee2f9f1869d6c26e0742f2f4a54c87fa6a01d1d9624391af99b5c7be63ec62645b8ce17942aa507d0e37bc545663a9d54d54f4d32a78a2110ea3e42860079bea9b2a4e7c8d61555f6bdb6b1aafa95149fe25e4827d9c1cf5079f301a44585654a202ad5ab554b1795b57fea9b4932e74dbfc28752db29aed7eec332d99b396266ff79c645c727e68b95a38e8115b07dc45379cbafa7723d54de12d0c2bcde829fc93f3d18de43bf789983b23c02b795eaf753da0e59a01639466c473c689e25e5af997782a3f21dd27e68c64dd0330bb7573b1f56ac2e3d981b2a14a01a3d94dfb5979279ce160604fef73517b5b61e95028133fb396fdbd5b474b5029aad3baa72fdaea38d2f02760be7b9596bafa260f0f1560ee06d9534a39109a68675a897953dd1c2b163bff351681694826306c3375a518abcf7336ff53e7e9d546e2380417ac0988f12f05803e71cf590a4f05302398217197480aa466e3998ce8042f70be7ec6fdc78636ee07dcaca767462f852c66086a1f619a224b11805b2d35d9fecb6ff64df9491003b7d76f0c3eacafe8581ff9a7f535e3ee8223397fcfdda709153e12e29e5b4f0891c79621bfb4bb24d8461bbab264b2ac1aa7c155d0bfcd2eed06d98ee2f57ea764febdc0f0182568e1e3be3a337c774e2c42b212a1a2d09284e0709e312c720f83eaeac98d5150da6456fcfc029cd37dce2e53a929a199872a1fb1441a19b52016457026ebcbcdf1dea6aec598fd2c32716ccf53b7681b81a41b1afd0195efc9ee76cde62473e83c644c7a91401ccb40c5cf3aaf192dde7cc27d8e3d6a4acd3c2ef942ad1cc9a13d5cd3058b0296b7f767782c0f82e63e34cf3c01f73406504d965a89e613e26f314197e1098f7620ecb5c53f990acba2bb66a6a8b3bb9c70d2de9f67e30402822ef39f996fef0b57b3e7e03776a82847da37d5ac5bfd54a1be5a9cd2e3d118dcccee97bcaeff9363ee39ac0bef781457bed133fc6f6b2bbf0aaac45c5483449bca5662338c28d0736bdb9297705716871c05464030b89b35d28615540e1a7de8082f3fdae7c1077a533c9016b8b2b74ee4ce36e3e137fa256cb8f1ee7e2288500ec4cb044b457eae1be48a0bfa084a25c68956d1eee7762512bed549d28373dd8f339985dce1da17a26a397770bf726f41b68ce85cf1a06bbab4164b9610037d068f0230253b28a514887e23ed81d670d118470bd87b2af77572fc0ee709a8f64d4a302b08d18751895d31c3f0409d5cc20e5ec3f7458fac366e1f0d66c977fe17617e517727f29bc3bac775aec53d079adafd278b9ef58b9624b63941c6ae586b72584744a407f807a2f329bae700889a4bb494833535826acbe6547235a79a8424da9d1bd0064d0a1b2a208a895d4367394db02dd538d32b434a9ed61d07ffe03cfeee35669b8ab8f5c09523ebc187fd464122794311100c1bd3b1d66d6edb272be9f09545eaa740147947bf3ef0b63e149d59e741c425121aa24bfb122eb207aa4890046a5ec4515571e8eb7553056270a337b70853e99a8d550204c2104dd498b288ebf8c41d39e807bf7437aa8aa82641464a3ef048bc59f9a50eb94ec84e77c60da4d5a85c68e1414fc64f242a9a68652e2c9dc051", 0x1000}, {&(0x7f0000000100)="17e86428dac00f89ef031310d07106a8ce2793a8f3c194f0bcbcc2f52fcabcfc759277677b636ee08829", 0x2a}], 0x4, &(0x7f0000001800)=[@cred={0x20, 0x1, 0x2, r4, r5, r6}, @rights={0x20, 0x1, 0x1, [r1, r0, r3]}, @cred={0x20, 0x1, 0x2, r7, r8, r9}, @rights={0x28, 0x1, 0x1, [r1, r3, r2, r3, r0]}, @cred={0x20, 0x1, 0x2, r10, r11, r12}, @cred={0x20, 0x1, 0x2, r13, r14, r15}, @rights={0x38, 0x1, 0x1, [r2, r0, r0, r1, r2, r1, r3, r2, r1]}], 0x100}], 0x1, 0x8000) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 353.332708] binder: undelivered TRANSACTION_ERROR: 29201 [ 353.343403] binder: undelivered TRANSACTION_ERROR: 29189 [ 353.549495] binder: 13583:13584 got transaction to context manager from process owning it [ 353.558328] binder: 13583:13584 transaction failed 29201/-22, size 0-0 line 2887 [ 353.681787] binder: undelivered TRANSACTION_ERROR: 29201 [ 353.687483] binder: send failed reply for transaction 744 to 13583:13584 [ 353.733804] binder: undelivered TRANSACTION_COMPLETE [ 353.739032] binder: undelivered TRANSACTION_ERROR: 29189 00:58:24 executing program 1: r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rtc0\x00', 0x0, 0x0) ioctl$RTC_RD_TIME(r0, 0x80247009, &(0x7f0000000040)) 00:58:24 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:24 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) syz_genetlink_get_family_id$ipvs(0x0) 00:58:24 executing program 0: r0 = syz_open_dev$vcsn(&(0x7f0000000080)='/dev/vcs#\x00', 0x1000000000149c, 0x2000) getsockopt$inet6_mtu(r0, 0x29, 0x17, &(0x7f00000000c0), &(0x7f0000000100)=0x4) r1 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:24 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) ioctl$VT_RESIZE(0xffffffffffffffff, 0x5609, 0x0) clone(0x802102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = socket(0xa, 0x1, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r1, 0x0, 0x80, &(0x7f0000000580)=@nat={'%at\x00', 0x19, 0x1, 0x1e0, [0x20000380, 0x0, 0x0, 0x20000500, 0x20000530], 0x0, &(0x7f0000000040), &(0x7f0000000380)=[{0x0, '\x00', 0x0, 0xffffffffffffffff, 0x1, [{{{0x1d, 0x0, 0x0, 'team_slave_0\x00', 'bridge_slave_0\x00', 'bond_slave_1\x00', 'veth1_to_bridge\x00', @empty, [], @dev, [], 0xe0, 0x12f, 0x150, [@stp={'stp\x00', 0x48, {{0x0, {0x0, 0x0, 0x0, @local, [], 0x0, 0x0, 0x0, 0x0, @local}}}}]}, [@snat={'snat\x00', 0x10, {{@local}}}]}, @snat={'snat\x00', 0x10, {{@random="5f5a1fad6899"}}}}]}, {0x0, '\x00', 0x1}, {0x0, '\x00', 0x1}]}, 0x258) ioctl$TCSETSW(0xffffffffffffffff, 0x5403, 0x0) 00:58:24 executing program 4: openat$urandom(0xffffffffffffff9c, 0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000100)={0xa, 0x0, 0x0, @dev, 0x6}, 0x1c) setsockopt$inet6_mtu(r0, 0x29, 0x17, &(0x7f0000000140)=0x3, 0x4) sendmmsg(r0, &(0x7f00000092c0), 0x4ff, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) [ 354.408796] binder: 13597:13598 got transaction to context manager from process owning it [ 354.417420] binder: 13597:13598 transaction failed 29201/-22, size 0-0 line 2887 [ 354.439905] kernel msg: ebtables bug: please report to author: target size too small 00:58:24 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) ioctl$VT_RESIZE(0xffffffffffffffff, 0x5609, 0x0) clone(0x802102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = socket(0xa, 0x1, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r1, 0x0, 0x80, &(0x7f0000000580)=@nat={'%at\x00', 0x19, 0x1, 0x1e0, [0x20000380, 0x0, 0x0, 0x20000500, 0x20000530], 0x0, &(0x7f0000000040), &(0x7f0000000380)=[{0x0, '\x00', 0x0, 0xffffffffffffffff, 0x1, [{{{0x1d, 0x0, 0x0, 'team_slave_0\x00', 'bridge_slave_0\x00', 'bond_slave_1\x00', 'veth1_to_bridge\x00', @empty, [], @dev, [], 0xe0, 0x12f, 0x150, [@stp={'stp\x00', 0x48, {{0x0, {0x0, 0x0, 0x0, @local, [], 0x0, 0x0, 0x0, 0x0, @local}}}}]}, [@snat={'snat\x00', 0x10, {{@local}}}]}, @snat={'snat\x00', 0x10, {{@random="5f5a1fad6899"}}}}]}, {0x0, '\x00', 0x1}, {0x0, '\x00', 0x1}]}, 0x258) ioctl$TCSETSW(0xffffffffffffffff, 0x5403, 0x0) [ 354.512739] binder_alloc: binder_alloc_mmap_handler: 13597 20001000-20004000 already mapped failed -16 [ 354.541760] binder_alloc: 13597: binder_alloc_buf, no vma [ 354.547556] binder: 13597:13615 transaction failed 29189/-3, size 24-8 line 3035 [ 354.573711] binder: release 13597:13598 transaction 750 out, still active [ 354.580708] binder: unexpected work type, 4, not freed [ 354.586227] binder: undelivered TRANSACTION_COMPLETE [ 354.626292] binder: undelivered TRANSACTION_ERROR: 29189 [ 354.631889] binder: undelivered TRANSACTION_ERROR: 29201 [ 354.637766] binder: send failed reply for transaction 750, target dead 00:58:24 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:24 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 354.744459] kernel msg: ebtables bug: please report to author: target size too small 00:58:24 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) syz_genetlink_get_family_id$ipvs(0x0) [ 354.824463] protocol 88fb is buggy, dev hsr_slave_0 [ 354.830149] protocol 88fb is buggy, dev hsr_slave_1 00:58:24 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:25 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) ioctl$VT_RESIZE(0xffffffffffffffff, 0x5609, 0x0) clone(0x802102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = socket(0xa, 0x1, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r1, 0x0, 0x80, &(0x7f0000000580)=@nat={'%at\x00', 0x19, 0x1, 0x1e0, [0x20000380, 0x0, 0x0, 0x20000500, 0x20000530], 0x0, &(0x7f0000000040), &(0x7f0000000380)=[{0x0, '\x00', 0x0, 0xffffffffffffffff, 0x1, [{{{0x1d, 0x0, 0x0, 'team_slave_0\x00', 'bridge_slave_0\x00', 'bond_slave_1\x00', 'veth1_to_bridge\x00', @empty, [], @dev, [], 0xe0, 0x12f, 0x150, [@stp={'stp\x00', 0x48, {{0x0, {0x0, 0x0, 0x0, @local, [], 0x0, 0x0, 0x0, 0x0, @local}}}}]}, [@snat={'snat\x00', 0x10, {{@local}}}]}, @snat={'snat\x00', 0x10, {{@random="5f5a1fad6899"}}}}]}, {0x0, '\x00', 0x1}, {0x0, '\x00', 0x1}]}, 0x258) ioctl$TCSETSW(0xffffffffffffffff, 0x5403, 0x0) 00:58:25 executing program 5: perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$loop(&(0x7f00000004c0)='/dev/loop#\x00', 0x0, 0x100082) socket$nl_xfrm(0x10, 0x3, 0x6) getsockopt$IP_VS_SO_GET_INFO(0xffffffffffffffff, 0x0, 0x481, 0x0, 0x0) openat$tun(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_genetlink_get_family_id$tipc(0x0) perf_event_open(&(0x7f0000000080)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clone(0x2102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() clone(0x3000000a0160100, 0x0, 0x0, 0x0, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x11) wait4(0x0, 0x0, 0x0, 0x0) [ 355.136414] binder: 13636:13638 got transaction to context manager from process owning it [ 355.145089] binder: 13636:13638 transaction failed 29201/-22, size 0-0 line 2887 [ 355.156517] kernel msg: ebtables bug: please report to author: target size too small 00:58:25 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = openat(0xffffffffffffffff, &(0x7f00000052c0)='./file0\x00', 0x40040, 0x10) setsockopt$inet6_dccp_int(r2, 0x21, 0xb, &(0x7f0000005300)=0x9, 0x4) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 355.316777] binder: send failed reply for transaction 757 to 13636:13638 [ 355.334035] binder: undelivered TRANSACTION_COMPLETE 00:58:25 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:25 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='hugetl\x04\x00\x00\x00\x00\x00\x00\x00age_ir_Z\xa2\xf4es\x00', 0x275a, 0x0) ioctl$FS_IOC_RESVSP(r0, 0x40305828, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x7fffffff}) 00:58:25 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 355.462963] protocol 88fb is buggy, dev hsr_slave_0 [ 355.462997] protocol 88fb is buggy, dev hsr_slave_0 [ 355.468537] protocol 88fb is buggy, dev hsr_slave_1 [ 355.473690] protocol 88fb is buggy, dev hsr_slave_1 [ 355.478951] protocol 88fb is buggy, dev hsr_slave_0 [ 355.484046] protocol 88fb is buggy, dev hsr_slave_0 [ 355.488849] protocol 88fb is buggy, dev hsr_slave_1 [ 355.494021] protocol 88fb is buggy, dev hsr_slave_1 [ 355.512601] binder: 13652:13654 got transaction to context manager from process owning it [ 355.521085] binder: 13652:13654 transaction failed 29201/-22, size 0-0 line 2887 [ 355.754999] binder: send failed reply for transaction 763 to 13652:13654 [ 355.773093] binder: undelivered TRANSACTION_COMPLETE 00:58:26 executing program 4: r0 = socket$inet_udp(0x2, 0x2, 0x0) add_key$keyring(&(0x7f00000001c0)='keyring\x00', &(0x7f0000000200)={'syz'}, 0x0, 0x0, 0xffffffffffffffff) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f00000000c0)={0x0, 0x0}, &(0x7f0000000040)=0xc) keyctl$get_persistent(0x3, r1, 0x0) 00:58:26 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000040)='memory.current\x00', 0x0, 0x0) setsockopt$inet_sctp_SCTP_I_WANT_MAPPED_V4_ADDR(r2, 0x84, 0xc, &(0x7f0000000080)=0xffffffffffffff81, 0x4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:26 executing program 5: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x80000000007, 0x0) dup3(r0, r1, 0x0) 00:58:26 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) 00:58:26 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:26 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) [ 356.434953] binder: 13683:13684 got transaction to context manager from process owning it [ 356.443660] binder: 13683:13684 transaction failed 29201/-22, size 0-0 line 2887 00:58:26 executing program 5: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000200)='/dev/ptmx\x00', 0x0, 0x0) read(r0, &(0x7f0000000300)=""/11, 0xb) ioctl$TIOCSETD(r0, 0x5423, &(0x7f00000001c0)) r1 = socket$inet6(0xa, 0x1, 0x0) connect$inet6(r1, &(0x7f0000000080)={0xa, 0x0, 0x0, @remote, 0x3}, 0x1c) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) recvmmsg(r1, &(0x7f0000000340)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0) ioctl$GIO_UNIMAP(r0, 0x4b66, 0x0) r2 = fcntl$dupfd(r1, 0x0, r1) shutdown(r2, 0x0) 00:58:26 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f3188b070") r1 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r1, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r4 = socket$inet_udp(0x2, 0x2, 0x0) close(r4) r5 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r5, &(0x7f0000000040)={0x11, 0x0, r6, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r3, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r2, 0x0, r4, 0x0, 0x10003, 0x0) 00:58:26 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) sendmsg(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0}, 0x40000) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:26 executing program 0: r0 = syz_open_dev$audion(&(0x7f0000000040)='/dev/audio#\x00', 0x101, 0x20000) getsockopt$inet_sctp_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f0000000280), &(0x7f00000002c0)=0x4) r1 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r3 = openat$mixer(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/mixer\x00', 0x0, 0x0) fcntl$getownex(r3, 0x10, &(0x7f0000000080)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000140)=ANY=[@ANYBLOB="0000000000000000ad398967cbbfd8b5121cb6a8edeea8d39606d046079ee2190591169f4dc249ca00000000000000000000000000000000"]], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f00000004c0)=ANY=[@ANYBLOB="056304280000000000634040000000002cff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], 0x0, 0x0, 0x0}) setsockopt$inet_sctp_SCTP_RECVNXTINFO(r3, 0x84, 0x21, &(0x7f0000000100)=0x7fffffff, 0x4) sendto$unix(r4, &(0x7f0000000380)="b38b47c57689b6b9d4c40a0f54e82d2363b1eeeea2453136b059b81e8eacb081aca13fe388f38fb9ba9286ff1ae254db7ddcd80e8043b6ba28ca18f8371383169138266605f1c9fe84b43d3807aa7a1ec18f68b2a93bdef81446bc5780af82b7d2613801e58cd87e78c9df7878f248117127b2bc20e3998f9405e84d807b79c741d6af6bd8d03388721e1551fc6a3a3bba938a4b8764b47d47c817f1ae2ca747ebed0b8b86948b482f710f29a9e63f0fadeeb0620a345166", 0xb8, 0x4, &(0x7f0000000440)=@abs={0x1, 0x0, 0x4e22}, 0xfffffe14) [ 356.690064] binder: send failed reply for transaction 769 to 13683:13684 [ 356.717032] binder: undelivered TRANSACTION_COMPLETE [ 356.853107] binder: BINDER_SET_CONTEXT_MGR already set [ 356.858836] binder: 13704:13705 ioctl 40046207 0 returned -16 [ 356.868607] binder: 13704:13705 unknown command 671376133 [ 356.874251] binder: 13704:13705 ioctl c0306201 200005c0 returned -22 00:58:27 executing program 5: gettid() perf_event_open(&(0x7f00000000c0)={0x8, 0x70, 0x101, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f00000000c0)={0x8, 0x70, 0x101, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) 00:58:27 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000040)='/dev/null\x00', 0x40, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000140)={0x0, 0x2, 0x3000, 0x1000, &(0x7f0000003000/0x1000)=nil}) ioctl$TUNSETPERSIST(r2, 0x400454cb, 0x1) ioctl$KVM_GET_REG_LIST(r2, 0xc008aeb0, &(0x7f0000000080)={0x5, [0x2, 0x7, 0x1, 0x100, 0x3a]}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000280)=ANY=[@ANYBLOB="852a6200000000962a90192b8c3d5f87d500d7ed88a2cc8a8e87b9e2edaf5b8bb07766e2de5cce11570f9b55d0d4fc76c50ff1fa11a6ffc8ac91b04058821cb88c150b5562f439e75f12de8519ae78731718ab38af", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) recvfrom$unix(r2, &(0x7f0000000680)=""/4096, 0x1000, 0x20, &(0x7f00000000c0)=@file={0x1, './file0\x00'}, 0x6e) 00:58:27 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_genetlink_get_family_id$tipc(0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 357.007298] binder: send failed reply for transaction 775 to 13704:13705 [ 357.014567] binder: undelivered TRANSACTION_COMPLETE [ 357.155379] binder: 13714:13717 got transaction with invalid offset (0, min 0 max 24) or object. [ 357.186270] binder: 13714:13717 got transaction to context manager from process owning it [ 357.195003] binder_transaction: 1 callbacks suppressed [ 357.195037] binder: 13714:13717 transaction failed 29201/-22, size 0-0 line 2887 00:58:27 executing program 5: syz_open_dev$admmidi(0x0, 0x0, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x2) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) prctl$PR_SET_THP_DISABLE(0x29, 0x0) getsockname(0xffffffffffffffff, 0x0, 0x0) r2 = accept4(r0, 0x0, 0x0, 0x0) getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000480)={0x0, @in={{0x2, 0x4e21, @remote}}, 0x0, 0x0, 0x0, 0x4, 0x21}, 0x98) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r1, 0x84, 0x77, 0x0, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r1, 0x84, 0x1f, &(0x7f00000000c0)={0x0, @in={{0x2, 0x4e24, @broadcast}}, 0xffff}, 0x0) ioctl$sock_kcm_SIOCKCMATTACH(0xffffffffffffffff, 0x89e0, 0x0) getsockopt$inet_sctp_SCTP_STATUS(0xffffffffffffffff, 0x84, 0xe, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x54}, 0x98) 00:58:27 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) 00:58:27 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000040)='/dev/admmidi#\x00', 0x40, 0x400000) ioctl$KVM_PPC_ALLOCATE_HTAB(r1, 0xc004aea7, &(0x7f0000000080)) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:27 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) [ 357.389081] binder_release_work: 7 callbacks suppressed [ 357.389097] binder: undelivered TRANSACTION_ERROR: 29201 [ 357.406700] binder: undelivered TRANSACTION_ERROR: 29201 00:58:27 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 357.585162] binder: 13735:13736 transaction failed 29189/-22, size 24-8 line 2896 00:58:27 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = openat$zero(0xffffffffffffff9c, &(0x7f0000000080)='/dev/zero\x00', 0x800, 0x0) r4 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100)='TIPCv2\x00') sendmsg$TIPC_NL_BEARER_SET(r3, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000140)={&(0x7f0000000680)={0x2c8, r4, 0xb3c, 0x70bd2c, 0x25dfdbfd, {}, [@TIPC_NLA_SOCK={0x2c, 0x2, [@TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x7f}, @TIPC_NLA_SOCK_ADDR={0x8}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x6}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}]}, @TIPC_NLA_NET={0x1c, 0x7, [@TIPC_NLA_NET_NODEID={0xc, 0x3, 0x7}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x9}]}, @TIPC_NLA_BEARER={0xc, 0x1, [@TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x1}]}, @TIPC_NLA_LINK={0x54, 0x4, [@TIPC_NLA_LINK_PROP={0x1c, 0x7, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x11}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, [@TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xea}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}]}, @TIPC_NLA_MEDIA={0xc8, 0x5, [@TIPC_NLA_MEDIA_PROP={0x44, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfffffffffffff801}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x22}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3ff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4}]}, @TIPC_NLA_MEDIA_PROP={0x44, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x800}, @TIPC_NLA_PROP_MTU={0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xc}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x1000}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x20}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x11}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_PROP={0x2c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x6a3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x1ff}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x4}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x2}]}]}, @TIPC_NLA_BEARER={0x144, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'eth', 0x3a, 'vlan0\x00'}}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xb39c}]}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x80000001}, @TIPC_NLA_BEARER_UDP_OPTS={0x44, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e23, 0xc55, @remote, 0x8}}, {0x20, 0x2, @in6={0xa, 0x4e21, 0x3ff, @dev={0xfe, 0x80, [], 0x1d}, 0x4}}}}, @TIPC_NLA_BEARER_NAME={0x10, 0x1, @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x20, 0x1, @in6={0xa, 0x4e21, 0xfa8, @mcast2, 0x3}}, {0x14, 0x2, @in={0x2, 0x4e23, @local}}}}, @TIPC_NLA_BEARER_PROP={0x44, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8001}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x4}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9e}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x1}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}, @TIPC_NLA_PROP_MTU={0x8}]}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x17}, @TIPC_NLA_BEARER_PROP={0x2c, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100000001000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x200}]}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xffffffffffffff44}]}]}, 0x2c8}, 0x1, 0x0, 0x0, 0x40}, 0x80) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="0563044000000000006340400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000765d2920fb3d4e38000000"], 0x0, 0x0, 0x0}) r5 = dup2(r1, r0) ioctl$EVIOCREVOKE(r5, 0x40044591, &(0x7f0000000040)) [ 357.797773] binder: undelivered TRANSACTION_ERROR: 29189 00:58:28 executing program 4: setsockopt$IPT_SO_SET_REPLACE(0xffffffffffffffff, 0x0, 0x40, &(0x7f0000000100)=ANY=[@ANYBLOB="73656375726974790000000000000000000000000000010000000000000000000e00000004000000480300002801000000000000280100002801"], 0x1) clone(0x3102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() futex(&(0x7f0000000140)=0x2, 0x0, 0x2, 0x0, 0x0, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0xf) write$P9_RREAD(0xffffffffffffffff, &(0x7f0000000100)=ANY=[@ANYBLOB="591402d07701000000cd8fbc162c4d8524e04aba6397600900000056efc427482e7d3691c700cd3edfa7afe309000000000000000000000000"], 0x39) openat(0xffffffffffffff9c, 0x0, 0x0, 0x0) ptrace$cont(0x18, r0, 0x0, 0x0) ptrace$setregs(0xd, r0, 0x0, &(0x7f00000000c0)) ptrace$cont(0x1f, r0, 0x0, 0x0) 00:58:28 executing program 5: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000200)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0xc, 0x10}}, &(0x7f0000000240)='EP\xd4\x00\x1f\x91\xeb/W\xb72$C0%\x03\x9c0\x96\xb2\fkC\x93H\xbfh\x9c\b`\x857\xd6\">c\xad\xc0bO\xba\xe2\xe1\t5\x9d\xcei\"2L\xcc\x13\x16\vh\xca\xe6C\x06\x97%\x9d\xd5-\x1fs\xe1j\xdc5\x92\xd0)%\xdf\xfa\xe8^\x9c\xd29\x8clg\xc8\x7f\xb5\xb1&\x02\xf1E\xb4\x84\xbeE\x91)f\xe8\xb7\xe2\xf6`i\xc5m\xd7l\x1d\xc1\x12\x01<:kM\xe9\x99\xcd\xcd\xc8\x85Z\xee47\xdc\xc8u\x80\xcf\xbeTo\xbb\xfb\xc0\xebV\xd8\xbb\xbe\xa2\x90J|s\xc2', 0x1, 0x348, &(0x7f0000000480)=""/195}, 0x48) [ 358.008100] binder: 13749:13750 got transaction to context manager from process owning it [ 358.016963] binder: 13749:13750 transaction failed 29201/-22, size 0-0 line 2887 [ 358.098825] binder: release 13749:13750 transaction 784 out, still active [ 358.105915] binder: unexpected work type, 4, not freed [ 358.111269] binder: undelivered TRANSACTION_COMPLETE [ 358.120960] binder: 13749:13750 ioctl 40044591 20000040 returned -22 00:58:28 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0xc0045103, &(0x7f0000a07fff)) [ 358.190308] ptrace attach of "/root/syz-executor.4"[13757] was attempted by "/root/syz-executor.4"[13758] 00:58:28 executing program 5: bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x5, 0xa, 0x800, 0x3}, 0x2c) 00:58:28 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) 00:58:28 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000080)='/dev/vbi#\x00', 0x2, 0x2) ioctl$TCGETS(r2, 0x5401, &(0x7f00000000c0)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="0063403a000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) r3 = syz_open_dev$mouse(&(0x7f0000000040)='/dev/input/mouse#\x00', 0x2, 0x200000) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x8) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 358.308902] binder: undelivered TRANSACTION_ERROR: 29201 [ 358.314639] binder: send failed reply for transaction 784, target dead 00:58:28 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) 00:58:28 executing program 5: r0 = getpid() sched_setattr(r0, &(0x7f00000002c0)={0x0, 0x2, 0x0, 0x0, 0x3}, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x1, 0x0) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000580)='/dev/rtc0\x00', 0x20000, 0x0) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, 0x0) getgid() add_key$user(&(0x7f0000000600)='user\x00', 0x0, &(0x7f00000007c0)="dca3c74b87c88ccd47653a443b23f60d3dca0fbfc05354f40c0b13017f5ae5c1f35a7a01e1e9e5", 0x27, 0xfffffffffffffffc) ioctl$RTC_PIE_OFF(0xffffffffffffffff, 0x7006) r3 = request_key(&(0x7f0000000300)='encrypted\x00', &(0x7f0000000340)={'syz', 0x0}, &(0x7f0000000440)=':\x00', 0xfffffffffffffffc) keyctl$restrict_keyring(0x1d, r3, 0x0, 0x0) stat(&(0x7f0000000a40)='./file0/../file0\x00', 0x0) add_key$user(&(0x7f00000006c0)='user\x00', &(0x7f0000000700)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) request_key(&(0x7f0000000140)='logon\x00', &(0x7f00000008c0)={'syz', 0x0}, 0x0, 0xfffffffffffffff8) linkat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x0) fstat(r2, &(0x7f0000000740)) ioctl$DRM_IOCTL_SET_SAREA_CTX(0xffffffffffffffff, 0x4010641c, &(0x7f0000000b80)={0x0, &(0x7f0000000b00)=""/119}) setpgid(r0, r0) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x40, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x9, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, r0, 0x0, 0xffffffffffffffff, 0x0) syz_genetlink_get_family_id$ipvs(&(0x7f0000000180)='IPVS\x00') listen(r2, 0xd4) mkdir(&(0x7f0000000040)='./file0\x00', 0x40) dup2(0xffffffffffffffff, 0xffffffffffffffff) [ 358.565474] binder: 13770:13772 unknown command 977298176 [ 358.571193] binder: 13770:13772 ioctl c0306201 20000000 returned -22 00:58:28 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) [ 358.660698] binder: 13770:13772 got transaction to context manager from process owning it [ 358.670212] binder: 13770:13772 transaction failed 29201/-22, size 0-0 line 2887 00:58:28 executing program 4: r0 = socket$inet(0x2, 0x2, 0x0) setsockopt$inet_group_source_req(r0, 0x0, 0x2e, &(0x7f0000000100)={0x0, {{0x2, 0x0, @multicast1}}, {{0x2, 0x0, @dev}}}, 0x108) 00:58:28 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) [ 358.802704] binder_alloc: binder_alloc_mmap_handler: 13770 20001000-20004000 already mapped failed -16 [ 358.843835] binder: BINDER_SET_CONTEXT_MGR already set [ 358.849300] binder: 13770:13772 ioctl 40046207 0 returned -16 [ 358.928698] binder: 13770:13783 unknown command 977298176 [ 358.934554] binder: 13770:13783 ioctl c0306201 20000000 returned -22 [ 358.944025] binder_alloc: 13770: binder_alloc_buf, no vma [ 358.949893] binder: 13770:13783 transaction failed 29189/-3, size 0-0 line 3035 [ 358.965662] binder: undelivered TRANSACTION_ERROR: 29201 [ 358.974596] binder: undelivered TRANSACTION_ERROR: 29189 00:58:29 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="05630440000000000063404000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e41074e013680796806818c83bd9f38347b21cf84c1fe9f15d1bd6951edb3641a8dc9d433fc06f98deb3a1e7d18a22fb8db898083fda5f09c39d629fb16523d07a25b95a16ff7657878fed5d08cc5440343e38c77af0ad6f14adfffd9972ccc9654b508b37b49caa0b4f71aaa92deb8ced5050b9fd8c22c1c35d29a19161ac60e83ffeeb9619de0644416026b5ad831ee02ca87d0b3da3dd214597f48e447582e4cc5c9fed1b9aaa4dc63f76f555ed2a4617f7686df6c2a484291b74da76d98fc5d09094aa0c3071cd0518f3aa386b25b51e378e9ac76950a31c430472fb34c3a7"], 0x0, 0x0, 0x0}) 00:58:29 executing program 4: perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000080)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clone(0x2102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() clone(0x3000000a0160100, 0x0, 0x0, 0x0, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x11) wait4(0x0, 0x0, 0x0, 0x0) 00:58:29 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:29 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) socket$inet(0x2, 0x3, 0x5) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) [ 359.296039] binder: 13799:13800 got transaction to context manager from process owning it [ 359.304798] binder: 13799:13800 transaction failed 29201/-22, size 0-0 line 2887 00:58:29 executing program 4: r0 = getpid() sched_setattr(r0, &(0x7f00000002c0)={0x0, 0x2, 0x0, 0x0, 0x3}, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x1, 0x0) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000580)='/dev/rtc0\x00', 0x20000, 0x0) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, 0x0) getgid() add_key$user(&(0x7f0000000600)='user\x00', &(0x7f0000000640)={'syz', 0x3}, &(0x7f00000007c0)="dca3c74b87c88ccd47653a443b23f60d3dca0fbfc05354f40c0b13017f5a", 0x1e, 0xfffffffffffffffc) ioctl$RTC_PIE_OFF(0xffffffffffffffff, 0x7006) r3 = request_key(&(0x7f0000000300)='encrypted\x00', &(0x7f0000000340)={'syz', 0x0}, &(0x7f0000000440)=':\x00', 0xfffffffffffffffc) keyctl$restrict_keyring(0x1d, r3, 0x0, &(0x7f00000004c0)='TRUE') add_key$user(&(0x7f00000006c0)='user\x00', &(0x7f0000000700)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) request_key(&(0x7f0000000140)='logon\x00', &(0x7f00000008c0)={'syz', 0x0}, 0x0, 0xfffffffffffffff8) linkat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x1400) fstat(r2, &(0x7f0000000740)) ioctl$DRM_IOCTL_SET_SAREA_CTX(0xffffffffffffffff, 0x4010641c, &(0x7f0000000b80)={0x0, &(0x7f0000000b00)=""/119}) setpgid(r0, r0) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x40, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x9, 0xbd49, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, r0, 0x0, 0xffffffffffffffff, 0x0) syz_genetlink_get_family_id$ipvs(&(0x7f0000000180)='IPVS\x00') setxattr$trusted_overlay_upper(&(0x7f0000000400)='./file0\x00', &(0x7f0000000480)='trusted.overlay.upper\x00', &(0x7f0000000500)={0x0, 0xfb, 0x4f, 0x6, 0x5, "fae6bc8cf1a5ca4bd5bbd3cdfa564485", "b5484f407fbc4e33194c715a92a38be87b7ef8659097a96061a752d6f651980e043b0c925bd4beb6ad57328dd4eec9ee787631db6244c9b70270"}, 0x4f, 0x2) listen(r2, 0xd4) mkdir(&(0x7f0000000040)='./file0\x00', 0x40) dup2(0xffffffffffffffff, 0xffffffffffffffff) 00:58:29 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:29 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:29 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x9, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) setxattr$trusted_overlay_upper(&(0x7f0000000100)='./file0\x00', &(0x7f0000000140)='trusted.overlay.upper\x00', &(0x7f0000000280)={0x0, 0xfb, 0x80, 0x4, 0x7fffffff, "ec36e8105e485f7ed726f2421c73f692", "f07fba094e425a492e70163e0073b2a5d7c0ab0d424b1112c92dc19c8e7222d4cd0d32fbd3c396232ea9669dcc7880bfd58927b3cf9f1ae8a0ea6ad503f8c1e4c87185b41d456ee599711a711c1ff5fae2673b9d3ca46dc3b86097902c139c4f70013ccae15ac9b56b463b"}, 0x80, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) r3 = syz_open_procfs(0x0, &(0x7f0000000040)='net/protocols\x00') ioctl$KVM_SET_VAPIC_ADDR(r3, 0x4008ae93, &(0x7f0000000080)=0x2000) [ 359.544103] binder: undelivered TRANSACTION_ERROR: 29201 [ 359.549756] binder: send failed reply for transaction 795 to 13799:13800 [ 359.594032] binder: undelivered TRANSACTION_COMPLETE [ 359.599255] binder: undelivered TRANSACTION_ERROR: 29189 00:58:29 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 359.733635] binder: 13820:13821 got transaction to context manager from process owning it [ 359.742325] binder: 13820:13821 transaction failed 29201/-22, size 0-0 line 2887 00:58:29 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) splice(r1, 0x0, r2, 0x0, 0x10003, 0x0) 00:58:29 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) [ 359.802453] binder_alloc: binder_alloc_mmap_handler: 13820 20001000-20004000 already mapped failed -16 [ 359.846820] binder: BINDER_SET_CONTEXT_MGR already set [ 359.852370] binder: 13820:13821 ioctl 40046207 0 returned -16 [ 359.923300] binder_alloc: 13820: binder_alloc_buf, no vma [ 359.929057] binder_alloc: 13820: binder_alloc_buf, no vma [ 359.929088] binder: 13820:13828 transaction failed 29189/-3, size 24-8 line 3035 [ 359.942663] binder: 13820:13837 transaction failed 29189/-3, size 0-0 line 3035 00:58:30 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0xc074510c, &(0x7f0000a07fff)) 00:58:30 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 360.063630] binder: undelivered TRANSACTION_ERROR: 29189 [ 360.069198] binder: undelivered TRANSACTION_ERROR: 29189 [ 360.074985] binder: send failed reply for transaction 801 to 13820:13821 [ 360.081956] binder: undelivered TRANSACTION_COMPLETE 00:58:30 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:30 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) add_key(&(0x7f0000000040)='.request_key_auth\x00', &(0x7f0000000080)={'syz', 0x1}, &(0x7f0000000380)="75e104246f6e53e4941c6897db445e6a5683d03fdd72458a4927f751511092d60a6630e88a6093b4b71db5aa2543f0c17bf3b11fe2c3d10645056af0740dd326d9768ea90ed798aa8912d32016d957b19daa4863af67dc63ccfcfcb9dae8d991064dc2e576af3921dd3213e44cb5b32895632c0f34dc0191a4e38730b1311e62b4a8db538830c8a162be5faca50b829f945b9b335cc58ed6f1205cbe93a589909296b64ca0bf754ae2917ae1f5fd7582f66987e9067e1abdb5f33f043f847902b9299b72cd67743f38", 0xc9, 0xfffffffffffffffd) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:30 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) setsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:30 executing program 4: r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000200)='/dev/net/tun\x00', 0xd, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000080)={'\x10\x02\x00\x00\x18t\x00\x00\xa5\x00', 0x420000015001}) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000040)=@newlink={0x28, 0x10, 0xc362e63b3f31ba5f, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x3}, [@IFLA_GROUP={0x8}]}, 0x28}}, 0x0) write$tun(r0, &(0x7f0000000340)=ANY=[@ANYBLOB="010000000000290000006031409200443a00fe800000000000000000000000000000ff0200000000000000000000000000010000907800000000fe800000000000000000000000000000"], 0x1) [ 360.356941] binder: 13852:13854 got transaction to context manager from process owning it [ 360.365581] binder: 13852:13854 transaction failed 29201/-22, size 0-0 line 2887 00:58:30 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:30 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") ioctl$KDGKBLED(0xffffffffffffffff, 0x8004510a, &(0x7f0000a07fff)) [ 360.596519] IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready [ 360.603486] IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready 00:58:30 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="0063404000000000000000000000000000000000000000c150208e86127bcd5b4f00000000000e0000000200000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000040)=ANY=[@ANYBLOB="00000000000000004f9d607ac58f7d4e3183fb10ccd73fef701f9bc2529db2fbf552a6bea05d8054d08da9c9b63a8fc9de626b43d455c78826f9904efdefa477e15a8bcf9f4fa955633255dd6dfb75a6587a91386ca60bcb3fc3ce2a748c23918e68577806bd06f4eb92d866959d3792"]], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 360.672878] binder: send failed reply for transaction 810 to 13852:13854 [ 360.679908] net_ratelimit: 14 callbacks suppressed [ 360.679939] A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. [ 360.680702] binder: undelivered TRANSACTION_COMPLETE [ 360.744547] protocol 88fb is buggy, dev hsr_slave_0 [ 360.750372] protocol 88fb is buggy, dev hsr_slave_1 [ 360.773844] binder_alloc: 13871: binder_alloc_buf size 562949955911680 failed, no address space [ 360.782987] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) 00:58:30 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 360.822159] IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready 00:58:31 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) splice(r1, 0x0, r2, 0x0, 0x10003, 0x0) 00:58:31 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") ioctl$KDGKBLED(0xffffffffffffffff, 0x8004510a, &(0x7f0000a07fff)) 00:58:31 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 360.947846] A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. [ 360.967721] binder: 13871:13879 got transaction to context manager from process owning it 00:58:31 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") ioctl$KDGKBLED(0xffffffffffffffff, 0x8004510a, &(0x7f0000a07fff)) 00:58:31 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:31 executing program 0: syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f00000000c0), 0xb6aae84ce6d9a6c1, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000005c0)={0x224, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="05630440000000000063404000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000876bc3503143dbc129f7ed1662b32ae17faaf287726fbf8fd29501d8405c395a2421282eaad399fe2b6cd095087d0644026539a139faba2de54b652a3bb8b6c8ce2f91e4cf576ac807e9c67da2993a103f8ae5c731caa9049eacc4c52214424c137f5521ddbfa49d"], 0x0, 0x0, 0x0}) 00:58:31 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f3188b070") pipe(&(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) write$binfmt_elf32(r2, &(0x7f0000000340)=ANY=[], 0xff0e) close(r2) r3 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f00000000c0)=0x800000100000001, 0x4) setsockopt$inet_tcp_TCP_MD5SIG(r2, 0x6, 0xe, &(0x7f0000000180)={@in6={{0xa, 0x0, 0x0, @ipv4}}, 0x0, 0x40, 0x0, "5c7d866ff43751f8873fcb0dab400c418118817f88dd32c8a5bd1f96947a61b9c9627f989c7f422dd7658bd36505c1c3e348680b100694e23cb170b6156fe10ef3d50b45685df5fda61c86a7608eaf0a"}, 0x4b6) connect$inet6(r3, &(0x7f0000000140), 0x1c) setsockopt$inet6_tcp_TCP_ULP(r3, 0x6, 0x1f, &(0x7f0000000040)='tls\x00', 0x355) setsockopt$inet6_tcp_TLS_TX(r3, 0x11a, 0x1, &(0x7f0000000100), 0x28) splice(r1, 0x0, r2, 0x0, 0x100000000, 0x0) connect$unix(r2, &(0x7f0000000280)=@file={0x0, './file0\x00'}, 0x6e) connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @rand_addr="9f052945b4534453ff211b2cd491f5cb"}, 0x1c) close(r2) 00:58:31 executing program 5: socket$inet_udplite(0x2, 0x2, 0x88) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r0, 0x8004510a, &(0x7f0000a07fff)) [ 361.458717] binder: 13897:13899 unknown command 0 [ 361.464285] binder: 13897:13899 ioctl c0306201 20000000 returned -22 [ 361.489514] binder: 13897:13899 got transaction to context manager from process owning it 00:58:31 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000fbb3695b3fc99503558c9b06ada6fe6c6718f9e64aef00e8a41a596565edcea347f067ecfd209e309a72491584238649c79db577cab8c2ae6e29b1e625170ff565606277", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='e\a\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$FIDEDUPERANGE(r0, 0xc0189436, &(0x7f0000000280)=ANY=[@ANYBLOB="0800000000000000815b0000000000000700000000000000", @ANYRES32=r2, @ANYBLOB="00000000e60500000000000000000000000000000000000000000000", @ANYRES32=r0, @ANYBLOB="00000000010000800000000000000000000000000000000000000000", @ANYRES32=r3, @ANYBLOB="00000000050000000000000000000000000000000000000000000000", @ANYRES32=r0, @ANYBLOB="00000000040000000000000000000000000000000000000000000000", @ANYRES32=r0, @ANYBLOB="01000000ffff00010000000000000000000000000000000000000000", @ANYRES32=r0, @ANYBLOB="00000000060000000000000000000000000000000000000000000000", @ANYRES32=r0, @ANYBLOB="00000000ff7fffffffffffff00000000000000000000000000000000"]) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 361.688515] binder: 13909:13910 got transaction to context manager from process owning it [ 361.703096] protocol 88fb is buggy, dev hsr_slave_0 [ 361.703158] protocol 88fb is buggy, dev hsr_slave_0 [ 361.708695] protocol 88fb is buggy, dev hsr_slave_1 [ 361.713809] protocol 88fb is buggy, dev hsr_slave_1 [ 361.719310] protocol 88fb is buggy, dev hsr_slave_0 [ 361.724637] protocol 88fb is buggy, dev hsr_slave_0 00:58:31 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:31 executing program 5: socket$inet_udplite(0x2, 0x2, 0x88) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r0, 0x8004510a, &(0x7f0000a07fff)) 00:58:31 executing program 4: openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000180)='memory.current\x00', 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000fc7000)={0x5, 0xe, 0x3, 0x2}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000100)={r0, &(0x7f0000000080), 0x0}, 0x20) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000fcb000)={r0, &(0x7f0000000180), 0x0}, 0x20) bpf$MAP_UPDATE_ELEM(0x4, &(0x7f000051e000)={r0, &(0x7f00000002c0), 0x0}, 0x20) [ 361.750265] binder_alloc: 13909: binder_alloc_buf, no vma 00:58:32 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="850adae75f000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc0\x00', 0x100, 0x0) setsockopt$TIPC_MCAST_REPLICAST(r3, 0x10f, 0x86) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) connect$vsock_stream(r3, &(0x7f0000000080)={0x28, 0x0, 0x2711}, 0x10) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000280)={0xfffffd7e, 0x0, &(0x7f0000000100), 0x46, 0x0, 0x0}) 00:58:32 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:32 executing program 5: socket$inet_udplite(0x2, 0x2, 0x88) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r0, 0x8004510a, &(0x7f0000a07fff)) 00:58:32 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) splice(r1, 0x0, r2, 0x0, 0x10003, 0x0) 00:58:32 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000700)=ANY=[@ANYBLOB="003035fb05004afc579cfffff5d5224200001c3c905f347321c1887154e99c69c81eba54e891f3ca829564e0fd4227f3ace249861c9108a483cf9755ae0cfb1c3cd1cadc3f56dea432377431b99bcd80efc12713d628e4e11f370b5c57dbac3d5daf0dfcf6ae9a338c35067cbe990b0986bbb9356b7e7ae7f1042e3c3700cb9b6dc021141c7b7dc4a47f024a9d9f4a971baf40e37c22299b55f3b0ca98dc17c86e46f85f0f13ca6792e04e77ab647d37ed57385c0a07f3c4c17d5691456ea031056ccaf49cc96ce6e0a0455d2932ca38e5042a4fbd07942c72a175473c6868f07e2cf2491acd3f583a0fe8632df8606d4ada2f31cd135c043e3899517b0b34dd33c6539f1f8b62bebaeadc243675c27e9424a23795373d3d1246cfb5d13c16beb7330e28651f29a0e6fdca9cc177c17f9c5bf845290ad2"]) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:32 executing program 4: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptmx\x00', 0x0, 0x0) read(r0, &(0x7f0000000600)=""/11, 0x357) ioctl$TIOCSETD(r0, 0x5423, &(0x7f00000001c0)) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r1, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x151) connect$inet6(r1, &(0x7f0000000000), 0x1c) r2 = dup2(r1, r1) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r2, 0x6, 0x16, &(0x7f0000000440), 0x131f64) clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) setsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, 0xfffffffffffffffe, 0xff73) ioctl$FITRIM(r0, 0xc0185879, 0x0) [ 362.213222] binder: 13924:13925 got transaction with invalid offset (0, min 0 max 24) or object. [ 362.222502] binder_transaction: 5 callbacks suppressed [ 362.222539] binder: 13924:13925 transaction failed 29201/-22, size 24-8 line 3097 00:58:32 executing program 5: ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r0, 0x8004510a, &(0x7f0000a07fff)) [ 362.399469] binder: 13924:13925 unknown command 0 [ 362.404815] binder: 13924:13925 ioctl c0306201 20000280 returned -22 00:58:32 executing program 4: perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000000, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$loop(&(0x7f00000004c0)='/dev/loop#\x00', 0x0, 0x100082) pwritev(0xffffffffffffffff, 0x0, 0x0, 0x81806) openat$tun(0xffffffffffffff9c, &(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) creat(&(0x7f0000000000)='./file0\x00', 0x30) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0) syz_genetlink_get_family_id$tipc(0x0) fcntl$getown(0xffffffffffffffff, 0x9) ptrace$cont(0x1f, 0x0, 0x8, 0x7fffffff) mkdirat$cgroup(0xffffffffffffffff, 0x0, 0x1ff) openat$ptmx(0xffffffffffffff9c, 0x0, 0x0, 0x0) clone(0x2102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() clone(0x3000000a0160100, 0x0, 0x0, 0x0, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x11) wait4(0x0, 0x0, 0x0, 0x0) 00:58:32 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0xfffffffffffffffe, 0x0, &(0x7f00000001c0)) openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x80, 0x0) syz_open_dev$vcsn(&(0x7f0000000100)='/dev/vcs#\x00', 0x100, 0x20000) r2 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000140)='/dev/dlm-control\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0xc50) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000080)=ANY=[@ANYBLOB="0563044000000000006340400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a600baf149dd84"], 0x0, 0x0, 0x0}) [ 362.558645] binder_release_work: 9 callbacks suppressed [ 362.558661] binder: undelivered TRANSACTION_ERROR: 29201 00:58:32 executing program 5: ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r0, 0x8004510a, &(0x7f0000a07fff)) 00:58:32 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() stat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000240)) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 362.723958] binder: 13952:13953 got transaction to context manager from process owning it [ 362.732621] binder: 13952:13953 transaction failed 29201/-22, size 24-8 line 2887 [ 362.770787] binder_alloc: 13952: binder_alloc_buf, no vma [ 362.776809] binder: 13952:13953 transaction failed 29189/-3, size 0-0 line 3035 00:58:32 executing program 4: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000480)='/dev/ptmx\x00', 0x1, 0x0) write$binfmt_aout(r0, &(0x7f0000000140)=ANY=[@ANYBLOB="0000043fc9000000050000008c0108000400000000b5928fbd0065750edee191a1f989377007009523b12e0300000073176e2227a3d29be7923fa4c8fa0620416a0dc38b518cdf6282f179ae62096413"], 0x50) ioctl$TCSETA(r0, 0x5406, &(0x7f0000000000)={0x6, 0x3d5}) [ 362.846293] binder_alloc: binder_alloc_mmap_handler: 13952 20001000-20004000 already mapped failed -16 [ 362.891973] binder: BINDER_SET_CONTEXT_MGR already set [ 362.897604] binder: 13952:13953 ioctl 40046207 0 returned -16 00:58:33 executing program 5: ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r0, 0x8004510a, &(0x7f0000a07fff)) [ 362.935224] binder_alloc: 13952: binder_alloc_buf, no vma [ 362.940948] binder: 13952:13967 transaction failed 29189/-3, size 24-8 line 3035 [ 363.016753] binder_alloc: 13952: binder_alloc_buf, no vma [ 363.022557] binder: 13952:13963 transaction failed 29189/-3, size 0-0 line 3035 [ 363.053126] binder: undelivered TRANSACTION_ERROR: 29201 [ 363.062578] binder: undelivered TRANSACTION_ERROR: 29189 [ 363.068253] binder: undelivered TRANSACTION_ERROR: 29189 [ 363.073896] binder: undelivered TRANSACTION_ERROR: 29189 00:58:33 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:33 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x80000, 0x0) getsockopt$packet_buf(r2, 0x107, 0x7, &(0x7f0000000080)=""/89, &(0x7f0000000100)=0x59) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="05630440000000000063404000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000000000002000000000000"], 0x0, 0x0, 0x0}) 00:58:33 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00'}) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:33 executing program 4: r0 = open$dir(&(0x7f0000000080)='.\x00', 0x0, 0x0) mkdirat(r0, 0x0, 0x0) mkdirat(r0, &(0x7f0000000000)='./file0\x00', 0x0) semget(0xffffffffffffffff, 0x6, 0x1) getsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, 0x0, 0x0) setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, 0x0, 0x0) clock_gettime(0x0, 0x0) utimensat(r0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000180)={{}, {0x77359400}}, 0xfffffffffffffffc) 00:58:33 executing program 5: socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r0, 0x8004510a, &(0x7f0000a07fff)) 00:58:33 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) getpid() r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 363.412322] binder: 13980:13983 got transaction to context manager from process owning it [ 363.420873] binder: 13980:13983 transaction failed 29201/-22, size 0-1024 line 2887 00:58:33 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000001a004aaf21f6e265fd764fe0944d857b97e8434582ab5aac984272d3882145d28ab9ea2aea30e91fdaf7c87c3a23be1ce8f40fe85b07e8c0c55d495b8a0881cdefaf0e539161917e95a1d3d598fefccd969a77d39e0f3cf0e3dbf6a1fd132a5f70bb36679c1aac133cc576e0a9736a8a446749c67c29cd110b7c66170caeccf7ef5e4d75726041713a7c828b061e27b207f6619dfb470d7ab60e89d61e5987ecd479b8885b9ee2b77d8c62bb74b6398b738616560f7a12bb6ff81e7f2b5fecc9bdae569bebf173", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) r2 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cachefiles\x00', 0x200, 0x0) bind$inet(r2, &(0x7f0000000080)={0x2, 0x4e21, @multicast2}, 0x10) ioctl$SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE(r2, 0xc08c5336, &(0x7f0000000380)={0xfffffffffffffe01, 0x8, 0x8001, 'queue0\x00', 0x800}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$netlink(r2, 0x10e, 0x4, &(0x7f0000000280)=""/153, &(0x7f0000000340)=0x99) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) openat$vfio(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vfio/vfio\x00', 0x400, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) r4 = syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x3f, 0x0) ioctl$VIDIOC_G_PARM(r4, 0xc0cc5615, &(0x7f0000000140)={0x1, @raw_data="9a2ec0827be5294573dc7b82e61e095b32766a2cb553ac8632e774b6d6e743970f000a03ab781de3d12a8ed6940a158d54790555aadc42f92b444014918a405ab230a6eab3e8c8ddcb67ed9355ef4545e689505692a203c0b31455723f998be4439f5e794cdd8039fc7915533884b498abccb1cd8e2658b64f31c230ae068d23db1c4dfcc7a860a54c730a0e27a10f1757581df831fa6fd78898b16e47f5775de0b2afad1b8681cf9f46c21617ce11682008e5283fd89391534cd50449b5ab6a11486e6bdc7361e6"}) fcntl$getownex(r2, 0x10, &(0x7f00000000c0)) 00:58:33 executing program 4: syz_emit_ethernet(0x83, &(0x7f0000000340)={@local, @local, [], {@ipv6={0x86dd, {0x0, 0x6, "1bfc97", 0x4d, 0x88, 0x0, @dev, @mcast2, {[], @udp={0x0, 0x0, 0x4d, 0x0, [], "e29607149378d33e1db1c73936c77aa3f7fac33b042bd368236862531934ecb1c373d6ea51369e92fb96cc7c6fe4e24d1fcafff87429e50b32881721afab69cc3712c37ed0"}}}}}}, 0x0) 00:58:33 executing program 5: socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r0, 0x8004510a, &(0x7f0000a07fff)) [ 363.603058] binder: release 13980:13983 transaction 836 out, still active [ 363.610125] binder: unexpected work type, 4, not freed [ 363.615688] binder: undelivered TRANSACTION_COMPLETE [ 363.620875] binder: undelivered TRANSACTION_ERROR: 29201 [ 363.626504] binder: send failed reply for transaction 836, target dead [ 363.804390] binder_alloc: 13999: binder_alloc_buf size 7318349394477088 failed, no address space [ 363.813590] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) [ 363.822653] binder: 13999:14003 transaction failed 29201/-28, size 24-7318349394477064 line 3035 00:58:33 executing program 4: r0 = socket$kcm(0x2, 0x400000805, 0x0) sendmsg$kcm(r0, &(0x7f0000000740)={&(0x7f0000000640)=@in={0x2, 0x0, @dev}, 0x80, &(0x7f0000000580)=[{&(0x7f0000000200)="ff", 0x1}], 0x1}, 0x0) [ 363.852461] binder: 13999:14003 got transaction to context manager from process owning it [ 363.860944] binder: 13999:14003 transaction failed 29201/-22, size 0-0 line 2887 00:58:34 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:34 executing program 5: socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r0, 0x8004510a, &(0x7f0000a07fff)) [ 364.009497] binder: undelivered TRANSACTION_ERROR: 29201 [ 364.015992] binder: undelivered TRANSACTION_ERROR: 29201 00:58:34 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:34 executing program 0: r0 = syz_open_dev$binder(&(0x7f00000000c0)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcs\x00', 0x0, 0x0) ioctl$ASHMEM_PURGE_ALL_CACHES(r3, 0x770a, 0x0) r4 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vga_arbiter\x00', 0x800, 0x0) ioctl$EVIOCGKEY(r4, 0x80404518, &(0x7f0000000680)=""/4096) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="056f044000800000006340400000000000000000000000000000000000000000000000000000000000000000000000000000050000000000000000000000000000000000000000"], 0x0, 0x0, 0x0}) [ 364.284968] binder: 14014:14015 unknown command 1074032389 [ 364.290818] binder: 14014:14015 ioctl c0306201 200005c0 returned -22 00:58:34 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00'}) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:34 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:34 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000080)='/dev/snapshot\x00', 0x0, 0x0) 00:58:34 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:34 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r1, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 00:58:34 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) r3 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x111000, 0x0) ioctl$DRM_IOCTL_AGP_ALLOC(0xffffffffffffff9c, 0xc0206434, &(0x7f0000000080)={0x0, 0x0, 0x2, 0x7f}) ioctl$DRM_IOCTL_AGP_UNBIND(r3, 0x40106437, &(0x7f00000000c0)={r4, 0x5}) [ 364.580182] binder: send failed reply for transaction 846 to 14014:14015 [ 364.590244] binder: undelivered TRANSACTION_COMPLETE [ 364.595697] binder: undelivered TRANSACTION_ERROR: 29189 00:58:34 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:34 executing program 4: [ 364.770882] binder: 14039:14040 got transaction to context manager from process owning it [ 364.779630] binder: 14039:14040 transaction failed 29201/-22, size 0-0 line 2887 00:58:34 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:35 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:35 executing program 0: getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000100)={0x0, 0x0}, &(0x7f0000000140)=0xc) stat(&(0x7f0000000280)='./file0\x00', &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) fstat(0xffffffffffffff9c, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getgroups(0x6, &(0x7f00000002c0)=[0xee00, 0xffffffffffffffff, 0xee01, 0xffffffffffffffff, 0xee01, 0x0]) getgroups(0x9, &(0x7f0000000480)=[0xee01, 0x0, 0x0, 0xee01, 0xee00, 0xee00, 0x0, 0xee00, 0xee01]) getsockopt$sock_cred(0xffffffffffffff9c, 0x1, 0x11, &(0x7f00000004c0)={0x0, 0x0, 0x0}, &(0x7f0000000500)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000540)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r7 = getgid() stat(&(0x7f0000000680)='./file0\x00', &(0x7f00000006c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) lsetxattr$system_posix_acl(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='system.posix_acl_default\x00', &(0x7f0000000740)={{}, {0x1, 0x4}, [{0x2, 0x6, r0}], {}, [{0x8, 0x6, r1}, {0x8, 0x3, r2}, {0x8, 0x3, r3}, {0x8, 0x4, r4}, {0x8, 0x3, r5}, {0x8, 0x7, r6}, {0x8, 0x4, r7}, {0x8, 0x1, r8}], {0x10, 0x5}, {0x20, 0x4}}, 0x6c, 0x3) r9 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r10 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r10, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r10, 0x40046207, 0x0) fremovexattr(r10, &(0x7f0000000040)=@random={'trusted.', '/ppp0]lo{vboxnet1\x00'}) ioctl$BINDER_WRITE_READ(r9, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r11, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r10, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:35 executing program 4: seccomp(0x1, 0x0, &(0x7f0000001980)={0x1, &(0x7f0000000580)=[{0x6, 0x0, 0x0, 0xfffffffffffffffe}]}) r0 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = dup2(r0, r0) getdents(r1, &(0x7f00000005c0)=""/4096, 0x1000) [ 364.962429] binder: undelivered TRANSACTION_ERROR: 29201 [ 364.968642] binder: send failed reply for transaction 850 to 14039:14040 [ 364.994945] binder: undelivered TRANSACTION_COMPLETE [ 365.202354] binder: 14054:14056 got transaction to context manager from process owning it [ 365.210864] binder: 14054:14056 transaction failed 29201/-22, size 0-0 line 2887 [ 365.266774] audit: type=1326 audit(1551488315.305:34): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=14055 comm="syz-executor.4" exe="/root/syz-executor.4" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45ac8a code=0xffff0000 00:58:35 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00'}) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:35 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r0 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r1, 0xae80, 0x0) 00:58:35 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:35 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, 0x0) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:35 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vfio/vfio\x00', 0x1, 0x0) ioctl$SG_GET_COMMAND_Q(r2, 0x2270, &(0x7f0000000080)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 365.411123] binder: send failed reply for transaction 856 to 14054:14056 [ 365.419387] binder: undelivered TRANSACTION_COMPLETE [ 365.555432] binder: 14064:14066 got transaction to context manager from process owning it 00:58:35 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r0 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r1, 0xae80, 0x0) 00:58:35 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) close(r1) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 365.644725] binder: send failed reply for transaction 862 to 14064:14066 [ 365.653056] binder: undelivered TRANSACTION_COMPLETE 00:58:35 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, 0x0) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) [ 365.866405] net_ratelimit: 16 callbacks suppressed [ 365.866424] protocol 88fb is buggy, dev hsr_slave_0 [ 365.874186] protocol 88fb is buggy, dev hsr_slave_0 [ 365.877120] protocol 88fb is buggy, dev hsr_slave_1 [ 365.882156] protocol 88fb is buggy, dev hsr_slave_1 [ 365.887392] protocol 88fb is buggy, dev hsr_slave_0 [ 365.892486] protocol 88fb is buggy, dev hsr_slave_0 [ 365.897297] protocol 88fb is buggy, dev hsr_slave_1 [ 365.902525] protocol 88fb is buggy, dev hsr_slave_1 00:58:36 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, 0x0) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:36 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r0 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000340)={0x0, {0x2, 0x4e21, @local}, {0x2, 0x4e20, @multicast2}, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1b}}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0xfff, 0xfffffffffffffff9}) r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r1, 0xae80, 0x0) 00:58:36 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) sync() ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000680)=ANY=[@ANYBLOB="05630440000000000063404000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dc2b6cb151bea506529c06a1bc5c532bffdca1d82396de491ee5d505394681e92322374cfdf61368d649e7981d8718a8c26f26fe903885c77d971ddb3f266151753a89a8069cf67f40eacf25ff056a6672ca6417a66fed8e683c841b554460a92e4fd143295c2289ba6da2ac8c16b90f6993974bf602e24372e085692c9684250f6b0168813e951c5c7f4608d952bdd5340c8f6dc0c3df23a7e4359ede997e19a6f22f0c5c375ca94330d4fe145a26ce96241d26074c50fd2ed1acb0c4ff0d5952ecbec1612f9807f92788bde0b7179b4fcb9ebdb76a32fa7ad21a752335d14513ef1b2fed817a34a431acabf475edf16e6e7a949a1307496f4916eca880e7bdd3f1719c01cf2f857b8b52e3757c3c4c12e1a0393a4ff805fd0a106127e9ed4390745949317eda96e2017f40f21aee19ee54478c39fcc2297c9e32f316db91630efdb85153493bbdcf0601b8dd9c31a9e251969fb2f29521b0e142c101859f934f5dad1bffda4c30f712857c57f64a63a87b9a6eef352fcc0ddc3fc941db603b0e0b60b41ed6459ededacdfd6b1d57dfd2c95facaaa7b0065c2d74ddcbe477e04fb33a6dcd62e537fa6be13ce1bde2bef0d0220d717d2fbef07bb490ff52257da7656de3ec2b6160bf5e17e25fcd6560258673626186721100d27312f6fdd953e9e2333054caed9fbf0c0b338fc89e6bc643083ae37a0173c90fefc105458a2ddae39a2eba1286e10416191cc2aa725a0cc14b8e9d491d9f19950809e3fba0f79df24ff936dd0c356ec0dd2678b6e53cf739e4af516a3d936f9f792e97619f8e0240381dc8e995f4e88cb0025fcc47902832b5f320dd043c1f73a5a6ffe56ebfdeed9522a88282460bbf7f00541d7e64029eb72e5e4bccf77c5cd5e60525beae3e"], 0x0, 0x0, 0x0}) [ 366.015289] audit: type=1326 audit(1551488316.065:35): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=14055 comm="syz-executor.4" exe="/root/syz-executor.4" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45ac8a code=0xffff0000 00:58:36 executing program 4: perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000080)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) clone(0x2102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() clone(0x3000000a0160100, 0x0, 0x0, 0x0, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x11) wait4(0x0, 0x0, 0x0, 0x0) [ 366.204060] binder: 14087:14096 got transaction to context manager from process owning it [ 366.325180] binder: send failed reply for transaction 869 to 14087:14095 [ 366.336132] binder: undelivered TRANSACTION_COMPLETE [ 366.448357] ptrace attach of "/root/syz-executor.4"[14102] was attempted by "/root/syz-executor.4"[14103] 00:58:36 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:36 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x400, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:36 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:36 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB]], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = dup(r0) ioctl$KVM_XEN_HVM_CONFIG(r3, 0x4038ae7a, &(0x7f0000000100)={0x9f8, 0xb16, &(0x7f0000000040)="04897fdc15b198831694eafbe3d3ecee1a282dcc51a2512dd34ba18326246f4b84f3b66b11bed81124bf6b70354b8b27c2541f7a5c890f2ff1b8ea0e61c19b960b53152eaa27e462c3f4de50877ee3cd5947be3dde1426", &(0x7f00000000c0)="fde13074bf1ec7eeebe39d0428728984fdd7efb41b0e5bdbf1d109289b001496d2541bc49bd931edeb54f641ed6d5c58ae21b7ed102f6e75147a9253ea7d", 0x57, 0x3e}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:36 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:36 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0xc004510e, &(0x7f0000a07fff)) 00:58:36 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) [ 366.667228] binder: 14115:14119 ioctl 4038ae7a 20000100 returned -22 [ 366.691563] binder: 14115:14119 got transaction to context manager from process owning it 00:58:36 executing program 4: socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000300)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140)='/dev/ptmx\x00', 0x0, 0x0) poll(&(0x7f0000000100)=[{r1}], 0x1, 0xfffffffffffffffd) ioctl$TCSETS(r1, 0x40045431, &(0x7f00000000c0)) ioctl$TCSETS(r1, 0x5402, &(0x7f0000000040)={0x0, 0xffffffff}) r2 = syz_open_pts(r1, 0x2) dup3(r2, r1, 0x0) write(r1, &(0x7f00000001c0)="ca07ab8bd73958f9d9b73b93d858f33490ff2c63ad69f26355b52179c07a18f5ceb0c275be377bd83f71b81d571fd64211e279aff1098d0d715268dead3330542c878c56d87b24f351fd82d36180029b986b5ba2f5227439794a180a6205f200b696690d62445e755a", 0x69) 00:58:36 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = getpid() ptrace(0x4219, r2) r3 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vga_arbiter\x00', 0x404200, 0x0) getsockopt$inet_sctp6_SCTP_MAX_BURST(r3, 0x84, 0x14, &(0x7f0000000100), &(0x7f0000000140)=0x4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="006340400000000000000000398b52eeb125673a0000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="056304400000000000634040c8ff03629a671c890bc400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], 0x0, 0x0, 0x0}) [ 366.854552] binder: release 14115:14119 transaction 875 out, still active [ 366.861726] binder: unexpected work type, 4, not freed [ 366.867219] binder: undelivered TRANSACTION_COMPLETE [ 366.901451] binder: send failed reply for transaction 875, target dead 00:58:37 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:37 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) [ 366.982819] protocol 88fb is buggy, dev hsr_slave_0 [ 366.988593] protocol 88fb is buggy, dev hsr_slave_1 [ 367.008722] binder: 14127:14131 got transaction to invalid handle 00:58:37 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) [ 367.177010] binder: send failed reply for transaction 881 to 14127:14131 [ 367.204185] binder: undelivered TRANSACTION_COMPLETE 00:58:37 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:37 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x80, 0x2) setsockopt$IP_VS_SO_SET_STOPDAEMON(r2, 0x0, 0x48c, &(0x7f0000000080)={0x1, 'rose0\x00', 0x2}, 0x18) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:37 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:37 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r1, 0xae80, 0x0) 00:58:37 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 367.613882] binder: 14151:14152 got transaction to context manager from process owning it [ 367.622704] binder_transaction: 5 callbacks suppressed [ 367.622735] binder: 14151:14152 transaction failed 29201/-22, size 0-0 line 2887 00:58:37 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r1, 0xae80, 0x0) 00:58:37 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:38 executing program 4: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x2400, 0x0) r0 = socket$kcm(0x10, 0x2, 0x10) sendmsg$kcm(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000100)=[{&(0x7f00000001c0)="2e0000002800813ee45ae087184a82cf0400b0eba06ec40000230000a022bd322be5e6adcef60000000051894dd6", 0x2e}], 0x1}, 0x0) 00:58:38 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) socket$inet6(0xa, 0xb, 0x2) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r1, 0xae80, 0x0) 00:58:38 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) rt_sigreturn() [ 367.891245] binder_release_work: 11 callbacks suppressed [ 367.891261] binder: undelivered TRANSACTION_ERROR: 29201 [ 367.902702] binder: send failed reply for transaction 887 to 14151:14152 [ 367.913547] binder: undelivered TRANSACTION_COMPLETE [ 367.918852] binder: undelivered TRANSACTION_ERROR: 29189 00:58:38 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) [ 368.047159] binder: 14171:14173 got transaction to context manager from process owning it [ 368.055777] binder: 14171:14173 transaction failed 29201/-22, size 0-0 line 2887 00:58:38 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 368.309498] binder: undelivered TRANSACTION_ERROR: 29201 [ 368.315284] binder: send failed reply for transaction 893 to 14171:14173 [ 368.338015] binder: undelivered TRANSACTION_COMPLETE [ 368.344145] binder: undelivered TRANSACTION_ERROR: 29189 00:58:38 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:38 executing program 4: 00:58:38 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:38 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) openat$capi20(0xffffffffffffff9c, &(0x7f0000000040)='/dev/capi20\x00', 0x2, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwrng\x00', 0x240040, 0x0) r2 = openat$mixer(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/mixer\x00', 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x5) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:38 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:38 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)=0x1) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 368.659737] binder: 14191:14196 got transaction to context manager from process owning it [ 368.668403] binder: 14191:14196 transaction failed 29201/-22, size 0-0 line 2887 00:58:38 executing program 4: [ 368.751814] binder_alloc: binder_alloc_mmap_handler: 14191 20001000-20004000 already mapped failed -16 00:58:38 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) [ 368.799948] binder: BINDER_SET_CONTEXT_MGR already set [ 368.805412] binder: 14191:14196 ioctl 40046207 0 returned -16 00:58:38 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 368.875494] binder_alloc: 14191: binder_alloc_buf, no vma [ 368.881142] binder: 14191:14208 transaction failed 29189/-3, size 24-8 line 3035 00:58:39 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 368.955043] binder_alloc: 14191: binder_alloc_buf, no vma [ 368.960690] binder: 14191:14208 transaction failed 29189/-3, size 0-0 line 3035 00:58:39 executing program 4: [ 369.056090] binder: release 14191:14196 transaction 899 out, still active [ 369.066143] binder: unexpected work type, 4, not freed [ 369.071442] binder: undelivered TRANSACTION_COMPLETE 00:58:39 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(0xffffffffffffffff, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) [ 369.114315] binder: undelivered TRANSACTION_ERROR: 29189 [ 369.119896] binder: undelivered TRANSACTION_ERROR: 29189 [ 369.125626] binder: undelivered TRANSACTION_ERROR: 29201 [ 369.131154] binder: send failed reply for transaction 899, target dead 00:58:39 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:39 executing program 0: r0 = syz_open_dev$video(&(0x7f0000000100)='/dev/video#\x00', 0x1400000003, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x1, 0x31, 0xffffffffffffffff, 0x0) ioctl$VIDIOC_ENUMAUDIO(r0, 0xc0345641, &(0x7f0000000200)={0x0, "be9eb3fab01218fef1f01b18389e4f7dcde7c962ae9058711acaf995bd2f2646"}) ioctl$VIDIOC_ENUMAUDIO(r0, 0xc0345641, &(0x7f0000000240)={0x0, "90bbf8d6d95c614b699904ec88004478180ffb0c1c675d581268848452e53710"}) r2 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) r5 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000080)='/proc/capi/capi20\x00', 0x282200, 0x0) ioctl$SCSI_IOCTL_GET_PCI(r5, 0x5387, &(0x7f00000000c0)) ioctl$KVM_GET_FPU(r5, 0x81a0ae8c, &(0x7f0000000200)) ioctl$FIBMAP(r2, 0x1, &(0x7f0000000040)=0x9) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="056304400000000000634040000000000000000000000000000000000000000000000000000000000000000000000000000064e8d0a0675da4551441"], 0x0, 0x0, 0x0}) 00:58:39 executing program 2: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:39 executing program 4: 00:58:39 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet6_mreq(r0, 0x29, 0x0, 0x0, 0x0) write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:39 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = mmap$binder(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x1, 0x40010, r1, 0x0) r4 = mmap$binder(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x1000004, 0xa6ad33773925dc7d, r1, 0x1c) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000280)={0xa0, 0x0, &(0x7f0000000380)=[@acquire_done={0x40106309, r3, 0x4}, @enter_looper, @transaction_sg={0x40486311, {{0x1, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x40, 0x8, &(0x7f0000000080)=[@ptr={0x70742a85, 0x0, &(0x7f0000000040), 0x1, 0x3, 0x25}, @fd={0x66642a85, 0x0, r1, 0x0, 0x2}], &(0x7f00000000c0)=[0x48]}, 0x3}}, @request_death={0x400c630e, 0x2, 0x1}, @clear_death={0x400c630f, 0x4, 0x1}, @decrefs, @acquire_done={0x40106309, r4, 0x3}], 0x55, 0x0, &(0x7f0000000100)="be970a8aed8b23d8d193c7670346a4a258b912bcce22b21e30b38e0d1b4030f28a567b0898c4e071fb45cac29d92d2a59cfdcf94d992126c4c010a3357e1db8e2676e04de5027a08ea16bffb814d1c8bb3476fc6da"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:39 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) [ 369.649229] binder: 14241:14242 BC_ACQUIRE_DONE u0000000000000000 node 907 cookie mismatch 0000000000000004 != 0000000000000000 [ 369.661220] binder_alloc: 14241: binder_alloc_buf, no vma [ 369.666949] binder: 14241:14242 transaction failed 29189/-3, size 64-8 line 3035 00:58:39 executing program 4: [ 369.724007] binder: 14241:14247 got transaction to context manager from process owning it [ 369.732879] binder: 14241:14247 transaction failed 29201/-22, size 0-0 line 2887 00:58:39 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="05630440000000000063404000000000000000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], 0x0, 0x0, 0x0}) 00:58:39 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:39 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) [ 369.843122] binder: undelivered TRANSACTION_ERROR: 29201 [ 369.848799] binder: send failed reply for transaction 908 to 14241:14242 [ 369.888143] binder: undelivered TRANSACTION_COMPLETE [ 369.893505] binder: undelivered TRANSACTION_ERROR: 29189 [ 369.982702] binder: 14252:14255 got transaction to context manager from process owning it [ 369.991214] binder: 14252:14255 transaction failed 29201/-22, size 0-0 line 2887 [ 370.198412] binder: undelivered TRANSACTION_ERROR: 29201 [ 370.204198] binder: send failed reply for transaction 915 to 14252:14255 [ 370.220097] binder: undelivered TRANSACTION_COMPLETE 00:58:40 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(0xffffffffffffffff, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:40 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:40 executing program 4: 00:58:40 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:40 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) syz_open_dev$audion(&(0x7f0000000040)='/dev/audio#\x00', 0xcdc4, 0x800) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:40 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 370.353825] binder: 14269:14270 got transaction to context manager from process owning it [ 370.362403] binder: 14269:14270 transaction failed 29201/-22, size 0-0 line 2887 00:58:40 executing program 4: 00:58:40 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:40 executing program 0: r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000580)='/dev/rtc0\x00', 0x80, 0x0) ioctl$RTC_VL_READ(r0, 0x80047013, &(0x7f0000000280)) r1 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x0, 0x1010, r2, 0x0) r3 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000440)='/proc/sys/net/ipv4/vs/expire_quiescent_template\x00', 0x2, 0x0) getsockopt$inet_sctp6_SCTP_PR_STREAM_STATUS(r3, 0x84, 0x74, &(0x7f0000000480)=""/143, &(0x7f0000000540)=0x8f) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) r5 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x3, 0x4000) setsockopt$RDS_GET_MR_FOR_DEST(r5, 0x114, 0x7, &(0x7f0000000380)={@in6={0xa, 0x4e21, 0x8, @loopback, 0x4}, {&(0x7f0000000080)=""/24, 0x113}, &(0x7f00000000c0), 0x8}, 0xa0) ioctl$PERF_EVENT_IOC_QUERY_BPF(r5, 0xc008240a, &(0x7f0000000100)={0x4, 0x0, [0x0, 0x0, 0x0, 0x0]}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="05630440000000000063404000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], 0x0, 0x0, 0x0}) [ 370.553146] binder: send failed reply for transaction 921 to 14269:14270 [ 370.563288] binder: undelivered TRANSACTION_COMPLETE 00:58:40 executing program 4: 00:58:40 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:40 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 370.760246] binder_alloc: 14283: binder_alloc_buf, no vma [ 370.766202] binder: 14283:14287 transaction failed 29189/-3, size 24-8 line 3035 [ 370.834734] binder: 14283:14295 got transaction to context manager from process owning it [ 371.143253] net_ratelimit: 20 callbacks suppressed [ 371.143273] protocol 88fb is buggy, dev hsr_slave_0 [ 371.153980] protocol 88fb is buggy, dev hsr_slave_1 00:58:41 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(0xffffffffffffffff, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:41 executing program 4: 00:58:41 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$usbmon(&(0x7f0000000040)='/dev/usbmon#\x00', 0x1, 0x0) ioctl$PPPIOCGDEBUG(r2, 0x80047441, &(0x7f0000000080)) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:41 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, &(0x7f0000a07fff)) 00:58:41 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:41 executing program 4: [ 371.422374] binder: 14302:14303 got transaction to context manager from process owning it 00:58:41 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(0xffffffffffffffff, 0x8004510a, &(0x7f0000a07fff)) 00:58:41 executing program 2: openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r1, 0xae80, 0x0) 00:58:41 executing program 4: 00:58:41 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:41 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = accept4$unix(0xffffffffffffff9c, &(0x7f0000000040), &(0x7f00000000c0)=0x6e, 0x80800) ioctl$sock_SIOCOUTQNSD(r1, 0x894b, &(0x7f0000000100)) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB="0000000000020000"]], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) write$cgroup_type(r3, &(0x7f00000002c0)='threaded\x00', 0x9) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) r5 = syz_open_dev$vcsn(&(0x7f0000000140)='/dev/vcs#\x00', 0x1, 0x0) write$FUSE_NOTIFY_POLL(r5, &(0x7f0000000280)={0x18, 0x1, 0x0, {0x2}}, 0x18) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 371.717082] binder: release 14302:14303 transaction 931 out, still active [ 371.724173] binder: unexpected work type, 4, not freed [ 371.730085] binder: undelivered TRANSACTION_COMPLETE [ 371.735430] binder: send failed reply for transaction 931, target dead 00:58:41 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(0xffffffffffffffff, 0x8004510a, &(0x7f0000a07fff)) [ 371.956901] binder: 14325:14327 got transaction with invalid offset (2199023255552, min 0 max 24) or object. [ 372.103374] protocol 88fb is buggy, dev hsr_slave_0 [ 372.103535] protocol 88fb is buggy, dev hsr_slave_0 [ 372.109083] protocol 88fb is buggy, dev hsr_slave_1 [ 372.114182] protocol 88fb is buggy, dev hsr_slave_1 [ 372.119508] protocol 88fb is buggy, dev hsr_slave_0 [ 372.124542] protocol 88fb is buggy, dev hsr_slave_0 [ 372.129405] protocol 88fb is buggy, dev hsr_slave_1 [ 372.134461] protocol 88fb is buggy, dev hsr_slave_1 00:58:42 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:42 executing program 4: 00:58:42 executing program 2: openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r1, 0xae80, 0x0) 00:58:42 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(0xffffffffffffffff, 0x8004510a, &(0x7f0000a07fff)) 00:58:42 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = syz_open_dev$amidi(&(0x7f0000000040)='/dev/amidi#\x00', 0x10001, 0x0) ioctl$BLKRESETZONE(r2, 0x40101283, &(0x7f0000000080)={0x7ff, 0x8}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f00000000c0)=ANY=[@ANYBLOB="0000fa0000108cb091cd102209a0350994ef7f5bba0000"]], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$l2tp_PPPOL2TP_SO_RECVSEQ(r2, 0x111, 0x2, 0x0, 0x4) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:42 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 372.423282] binder: 14340:14345 got transaction with invalid offset (-5725183434092314624, min 0 max 24) or object. [ 372.480645] binder: 14340:14345 got transaction to context manager from process owning it 00:58:42 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, 0x0) 00:58:42 executing program 4: 00:58:42 executing program 2: openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r1, 0xae80, 0x0) 00:58:42 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:42 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="0563044009000000006340400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000045f48c346902b72719"], 0x0, 0x0, 0x0}) 00:58:42 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, 0x0) [ 372.896147] binder: 14365:14366 Acquire 1 refcount change on invalid ref 9 ret -22 [ 372.906410] binder: 14365:14366 got transaction to context manager from process owning it [ 372.914871] binder_transaction: 5 callbacks suppressed [ 372.914905] binder: 14365:14366 transaction failed 29201/-22, size 0-0 line 2887 [ 373.079509] binder_release_work: 9 callbacks suppressed [ 373.079524] binder: undelivered TRANSACTION_ERROR: 29201 [ 373.090704] binder: send failed reply for transaction 943 to 14365:14366 [ 373.097954] binder: undelivered TRANSACTION_COMPLETE [ 373.103204] binder: undelivered TRANSACTION_ERROR: 29189 00:58:43 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:43 executing program 4: 00:58:43 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:43 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000200)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$KDGKBLED(r1, 0x8004510a, 0x0) 00:58:43 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x800010010, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="05630440000000000063404000006b4a47bf000000000000000400000000000000000000000000000000000000000002000000000000000000000000ffffffffffffffec00000000000000007bd7889531eeb9a82e71725a82b525693cd8b12c9f84a8a2d1a27fb0"], 0x0, 0x0, 0x0}) [ 373.421143] binder_alloc: 14374: binder_alloc_buf, no vma [ 373.426938] binder: 14374:14379 transaction failed 29189/-3, size 24-8 line 3035 00:58:43 executing program 4: [ 373.511482] binder: 14374:14379 got transaction to invalid handle [ 373.517962] binder: 14374:14379 transaction failed 29201/-22, size 33554432-0 line 2896 00:58:43 executing program 5: 00:58:43 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:43 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:43 executing program 4: 00:58:43 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x2) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f00000002c0)='/proc/capi/capi20ncci\x00', 0xc0400, 0x0) prctl$PR_SET_MM(0x23, 0x2, &(0x7f0000000000/0x4000)=nil) r4 = syz_genetlink_get_family_id$tipc2(&(0x7f00000003c0)='TIPCv2\x00') sendmsg$TIPC_NL_BEARER_ENABLE(r3, &(0x7f0000000580)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x1}, 0xc, &(0x7f0000000540)={&(0x7f0000000400)={0x110, r4, 0x30, 0x70bd2c, 0x25dfdbff, {}, [@TIPC_NLA_NET={0x14, 0x7, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x10001}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x9}]}, @TIPC_NLA_MEDIA={0x84, 0x5, [@TIPC_NLA_MEDIA_PROP={0x44, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xe}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x14}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1d}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x13}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1e}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x200}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_PROP={0x2c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7fffffff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}]}]}, @TIPC_NLA_NET={0x40, 0x7, [@TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x20}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x1000}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x1}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x81}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x5edd}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x71}]}, @TIPC_NLA_MON={0x24, 0x9, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x3ff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x3ff}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x10001}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x3}]}]}, 0x110}}, 0x4) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 373.874981] binder: undelivered TRANSACTION_ERROR: 29201 [ 373.885903] binder: undelivered TRANSACTION_ERROR: 29189 00:58:44 executing program 5: [ 374.009902] binder: 14401:14402 got transaction to context manager from process owning it [ 374.018600] binder: 14401:14402 transaction failed 29201/-22, size 0-0 line 2887 [ 374.120850] binder: undelivered TRANSACTION_ERROR: 29201 [ 374.126655] binder: send failed reply for transaction 952 to 14401:14402 [ 374.181331] binder: undelivered TRANSACTION_COMPLETE [ 374.191126] binder: undelivered TRANSACTION_ERROR: 29189 00:58:44 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:44 executing program 4: 00:58:44 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = openat$cachefiles(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/cachefiles\x00', 0x2000, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$IMCTRLREQ(r2, 0x80044945, &(0x7f0000000100)={0x0, 0xffffffff, 0x9, 0x80000001}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r3 = syz_open_dev$swradio(&(0x7f0000000040)='/dev/swradio#\x00', 0x1, 0x2) setsockopt$inet_mreqsrc(r3, 0x0, 0x25, &(0x7f0000000080)={@multicast1, @empty, @dev={0xac, 0x14, 0x14, 0x1c}}, 0xc) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:44 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:44 executing program 5: 00:58:44 executing program 4: [ 374.433679] binder: BINDER_SET_CONTEXT_MGR already set [ 374.439175] binder: 14412:14414 ioctl 40046207 0 returned -16 00:58:44 executing program 5: [ 374.504737] binder: 14412:14414 got transaction to context manager from process owning it [ 374.513566] binder: 14412:14414 transaction failed 29201/-22, size 0-0 line 2887 [ 374.553465] binder_alloc: binder_alloc_mmap_handler: 14412 20001000-20004000 already mapped failed -16 [ 374.598389] binder: BINDER_SET_CONTEXT_MGR already set [ 374.604032] binder: 14412:14414 ioctl 40046207 0 returned -16 [ 374.625283] binder_alloc: 14412: binder_alloc_buf, no vma [ 374.631006] binder: 14412:14420 transaction failed 29189/-3, size 24-8 line 3035 00:58:44 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 374.673550] binder: BINDER_SET_CONTEXT_MGR already set [ 374.678978] binder: 14412:14414 ioctl 40046207 0 returned -16 [ 374.712923] binder: release 14412:14414 transaction 958 out, still active [ 374.720346] binder: unexpected work type, 4, not freed [ 374.726023] binder: undelivered TRANSACTION_COMPLETE 00:58:44 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:44 executing program 5: 00:58:44 executing program 4: [ 374.794109] binder: undelivered TRANSACTION_ERROR: 29189 [ 374.799733] binder: undelivered TRANSACTION_ERROR: 29201 [ 374.805625] binder: send failed reply for transaction 958, target dead 00:58:45 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x100000000000000, 0x2021d, r1, 0x800000000) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = syz_open_dev$sndpcmp(&(0x7f00000000c0)='/dev/snd/pcmC#D#p\x00', 0x0, 0x40) ioctl$LOOP_SET_DIRECT_IO(r2, 0x4c08, 0x8) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) mq_open(&(0x7f0000000140)='[,_posix_acl_access\\!ppp1\x00', 0x0, 0x4, &(0x7f0000000280)={0x8, 0x9, 0x2, 0x2, 0x7f, 0xdddf, 0x5, 0x8}) io_setup(0x3, &(0x7f0000000100)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="05630440000004000063404000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000004000000000000000000000000000000000000"], 0x0, 0x0, 0x0}) r4 = openat$zero(0xffffffffffffff9c, &(0x7f0000000040)='/dev/zero\x00', 0x2, 0x0) recvfrom$unix(r2, &(0x7f0000000680)=""/4096, 0x1000, 0x101, &(0x7f0000000200)=@file={0x0, './file0\x00'}, 0x6e) setsockopt$inet6_tcp_TCP_ULP(r4, 0x6, 0x1f, &(0x7f0000000080)='tls\x00', 0x4) [ 375.120692] binder: 14441:14442 Acquire 1 refcount change on invalid ref 262144 ret -22 [ 375.129251] binder: 14441:14442 got transaction to context manager from process owning it [ 375.137760] binder: 14441:14442 transaction failed 29201/-22, size 0-4398046511104 line 2887 [ 375.268376] binder: undelivered TRANSACTION_ERROR: 29201 00:58:45 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) close(0xffffffffffffffff) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, 0xffffffffffffffff, 0x0, 0x10003, 0x0) 00:58:45 executing program 4: 00:58:45 executing program 5: 00:58:45 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:45 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB="0563044000000000006340400000000000000000000010000000001b001500000000000000000000000000cb056bf47310bd46b8002000000000000000000000a1617bdcf42d5e10000000000000000000000000000f1cfbcc91d9b1479ae4eec46d3cb10aec784afcda1383f4d63a94d7ff91d0243bf6722b4bf6e423bd92c2b39fd693b5eb459c3f4fa72ad1e2fb1ca86e017f2d8dea8061229e0a4b945dc02bf53743abbd9464eea396f876f934062497d948866868d0dbfce8816263560a1c1ab698af127603689ee3e7d78b5942ec720a4f4791869e91a5766da606cf80fcc3a174984951a165b5903cec1f356a8f359ef7b0e72f1377373d281a3ef5895e7815a3037b236ed8184c7ef77cf92e9776cd7a1fb76b168fe7e2c4652741841f92ad4f2c4697fe61cad0cd06edd1d36f2f587a4e91673640ac977a7b7bca7c270bd756e1af5129b69fdbb1cadcdab65f8ab3bc1e6a5e55d4af408e42dbb59014dc155fc3bea5f3b74e45a985"], 0x0, 0x0, 0x0}) 00:58:45 executing program 5: 00:58:45 executing program 4: [ 375.506674] binder: 14445:14450 got transaction to context manager from process owning it [ 375.515368] binder: 14445:14450 transaction failed 29201/-22, size -5168235643998541051-8192 line 2887 00:58:45 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 375.693208] binder: undelivered TRANSACTION_ERROR: 29201 [ 375.698962] binder: send failed reply for transaction 967 to 14445:14450 [ 375.707839] binder: undelivered TRANSACTION_COMPLETE 00:58:45 executing program 3: sendmsg$NBD_CMD_DISCONNECT(0xffffffffffffffff, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(0xffffffffffffffff, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(0xffffffffffffffff) sendmmsg$alg(0xffffffffffffffff, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(0xffffffffffffffff, &(0x7f0000000fc0)=""/253, 0x24) 00:58:45 executing program 5: 00:58:45 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:45 executing program 4: [ 375.848188] binder: 14459:14461 got transaction to context manager from process owning it [ 375.856946] binder: 14459:14461 transaction failed 29201/-22, size 0-0 line 2887 [ 376.059877] binder: send failed reply for transaction 973 to 14459:14461 [ 376.077313] binder: undelivered TRANSACTION_COMPLETE [ 376.262669] net_ratelimit: 14 callbacks suppressed [ 376.262685] protocol 88fb is buggy, dev hsr_slave_0 [ 376.262915] protocol 88fb is buggy, dev hsr_slave_0 [ 376.268094] protocol 88fb is buggy, dev hsr_slave_1 [ 376.273299] protocol 88fb is buggy, dev hsr_slave_1 [ 376.278572] protocol 88fb is buggy, dev hsr_slave_0 [ 376.283853] protocol 88fb is buggy, dev hsr_slave_0 [ 376.288369] protocol 88fb is buggy, dev hsr_slave_1 [ 376.293526] protocol 88fb is buggy, dev hsr_slave_1 00:58:46 executing program 4: 00:58:46 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) close(0xffffffffffffffff) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, 0xffffffffffffffff, 0x0, 0x10003, 0x0) 00:58:46 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000007aa9c127c4db1914000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:46 executing program 5: 00:58:46 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:46 executing program 3: sendmsg$NBD_CMD_DISCONNECT(0xffffffffffffffff, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(0xffffffffffffffff, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(0xffffffffffffffff) sendmmsg$alg(0xffffffffffffffff, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(0xffffffffffffffff, &(0x7f0000000fc0)=""/253, 0x24) 00:58:46 executing program 5: 00:58:46 executing program 4: [ 376.555639] binder_alloc: 14484: binder_alloc_buf size 337238992 failed, no address space [ 376.564173] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) [ 376.573323] binder: 14484:14487 transaction failed 29201/-28, size 337238980-8 line 3035 00:58:46 executing program 3: sendmsg$NBD_CMD_DISCONNECT(0xffffffffffffffff, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(0xffffffffffffffff, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(0xffffffffffffffff) sendmmsg$alg(0xffffffffffffffff, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(0xffffffffffffffff, &(0x7f0000000fc0)=""/253, 0x24) 00:58:46 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 376.760422] binder: 14484:14487 got transaction to context manager from process owning it 00:58:46 executing program 5: 00:58:47 executing program 0: r0 = syz_open_dev$media(&(0x7f0000000040)='/dev/media#\x00', 0x3, 0x0) setsockopt$netlink_NETLINK_LISTEN_ALL_NSID(r0, 0x10e, 0x8, &(0x7f0000000100)=0x9, 0x4) r1 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) r3 = openat$ppp(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ppp\x00', 0x109881, 0x0) ioctl$PPPIOCSNPMODE(r3, 0x4008744b, &(0x7f0000000080)={0x281, 0x1}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="056304400000000000634040000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ed"], 0x0, 0x0, 0x0}) 00:58:47 executing program 3: socketpair(0x0, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 377.145891] binder: 14510:14512 got transaction to invalid handle 00:58:47 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) close(0xffffffffffffffff) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, 0xffffffffffffffff, 0x0, 0x10003, 0x0) 00:58:47 executing program 4: 00:58:47 executing program 5: 00:58:47 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:47 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) fsetxattr(r1, &(0x7f00000000c0)=@known='trusted.overlay.origin\x00', &(0x7f0000000100)='*vboxnet1@wlan0\'vmnet0}**md5sum\x00', 0x20, 0xba4ae339cb9951a4) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(r1, 0xc0145401, &(0x7f0000000140)={0xffffffffffffffff, 0x2, 0x0, 0x3, 0x100000001}) r3 = syz_open_dev$cec(&(0x7f0000000040)='/dev/cec#\x00', 0x1, 0x2) bind$inet(r3, &(0x7f0000000080)={0x2, 0x4e22, @multicast1}, 0x10) 00:58:47 executing program 3: socketpair(0x0, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 377.494193] binder: 14521:14522 got transaction to context manager from process owning it 00:58:47 executing program 5: 00:58:47 executing program 4: [ 377.593679] binder: 14521:14531 ioctl c0145401 20000140 returned -22 00:58:47 executing program 3: socketpair(0x0, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 377.703626] protocol 88fb is buggy, dev hsr_slave_0 [ 377.709144] protocol 88fb is buggy, dev hsr_slave_1 00:58:47 executing program 5: 00:58:47 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="05630440000000000063404000000000000000000000000000000018000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000beaf110ac00bbd0afb6886c9d47b983fac7119856587ad5a3bd1634f09851726312466e3f7021b141c3ff2d3ab0fa743e9665b5e484965c41bbd74a3b7fdf2f0f1e52d219b"], 0x0, 0x0, 0x0}) [ 377.793151] binder: send failed reply for transaction 986 to 14521:14522 [ 377.811169] binder: undelivered TRANSACTION_COMPLETE 00:58:47 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 377.971333] binder: 14545:14547 got transaction to context manager from process owning it [ 377.979860] binder_transaction: 3 callbacks suppressed [ 377.979893] binder: 14545:14547 transaction failed 29201/-22, size 0-0 line 2887 [ 378.169894] binder_release_work: 8 callbacks suppressed [ 378.169907] binder: undelivered TRANSACTION_ERROR: 29201 [ 378.181006] binder: send failed reply for transaction 992 to 14545:14547 [ 378.191480] binder: undelivered TRANSACTION_COMPLETE [ 378.196739] binder: undelivered TRANSACTION_ERROR: 29189 00:58:48 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) r1 = socket$inet_udp(0x2, 0x2, 0x0) close(r1) r2 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r2, &(0x7f0000000040)={0x11, 0x0, r3, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(0xffffffffffffffff, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(0xffffffffffffffff, 0x0, r1, 0x0, 0x10003, 0x0) 00:58:48 executing program 4: 00:58:48 executing program 5: 00:58:48 executing program 3: socketpair(0x8000000000001e, 0x0, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:48 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="05630445000000000063404000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000000000000000000000000000"], 0x0, 0x0, 0x0}) 00:58:48 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 378.546651] binder: 14561:14564 unknown command 1157915397 [ 378.552548] binder: 14561:14564 ioctl c0306201 200005c0 returned -22 00:58:48 executing program 4: 00:58:48 executing program 5: 00:58:48 executing program 3: socketpair(0x8000000000001e, 0x0, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:48 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) tee(r0, r1, 0x5, 0x6) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/rtc0\x00', 0x80000, 0x0) ioctl$TUNGETFEATURES(r2, 0x800454cf, &(0x7f0000000480)) r3 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer\x00', 0x4401, 0x0) r4 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000280)='TIPCv2\x00') sendmsg$TIPC_NL_NET_GET(r3, &(0x7f00000003c0)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000380)={&(0x7f0000000400)=ANY=[@ANYBLOB='<\x00\x00\x00', @ANYRES16=r4, @ANYBLOB="04002cbd7000fedbdf250e0000ff0700000008000100ff0700000c000300080002feff0000000800010008000000a79585b84fc1a8216e8f02e80fdbaf43f9d637fd9ac116c2f572fa494855"], 0x3c}, 0x1, 0x0, 0x0, 0x80}, 0x24008000) socketpair$unix(0x1, 0x7, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="056304400000000000d8000000000000000000000001000000000000000000000000000000000000000100000000000000000000000000eb000000000000000000000000962e71ad000000002ca213ada3ee7d5d40aa36d19d77050c681ec2178cd0814c51daf1df0096fc0084bb49c1c665c15c0fe5f6d1775c7fff6d013bc05fe7abeed842285f2f555e16d06f00"], 0x0, 0x0, 0x0}) [ 378.749400] binder: send failed reply for transaction 998 to 14561:14564 [ 378.766706] binder: undelivered TRANSACTION_COMPLETE [ 378.772194] binder: undelivered TRANSACTION_ERROR: 29189 00:58:48 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:48 executing program 5: 00:58:49 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) r1 = socket$inet_udp(0x2, 0x2, 0x0) close(r1) r2 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r2, &(0x7f0000000040)={0x11, 0x0, r3, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(0xffffffffffffffff, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(0xffffffffffffffff, 0x0, r1, 0x0, 0x10003, 0x0) 00:58:49 executing program 4: [ 378.933326] binder: 14577:14578 unknown command 55296 [ 378.938676] binder: 14577:14578 ioctl c0306201 200005c0 returned -22 00:58:49 executing program 3: socketpair(0x8000000000001e, 0x0, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 379.035731] binder_alloc: binder_alloc_mmap_handler: 14577 20001000-20004000 already mapped failed -16 [ 379.115295] binder: BINDER_SET_CONTEXT_MGR already set [ 379.120773] binder: 14577:14588 ioctl 40046207 0 returned -16 00:58:49 executing program 5: [ 379.177178] binder_alloc: 14577: binder_alloc_buf, no vma [ 379.183061] binder: 14577:14578 transaction failed 29189/-3, size 24-8 line 3035 [ 379.217262] binder: release 14577:14578 transaction 1002 out, still active 00:58:49 executing program 4: [ 379.224462] binder: unexpected work type, 4, not freed [ 379.229751] binder: undelivered TRANSACTION_COMPLETE 00:58:49 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, 0x0) sendmsg$NBD_CMD_DISCONNECT(0xffffffffffffffff, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(0xffffffffffffffff, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(0xffffffffffffffff) sendmmsg$alg(0xffffffffffffffff, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(0xffffffffffffffff, &(0x7f0000000fc0)=""/253, 0x24) [ 379.318965] binder: undelivered TRANSACTION_ERROR: 29189 [ 379.324808] binder: send failed reply for transaction 1002, target dead 00:58:49 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0xfffffffffffffe6d, 0x0, &(0x7f0000000200)=ANY=[@ANYBLOB="dc2496157974d16a351738d56c659c24639cc8a9c65e3365bd3441ccc0b2236cf4eb6fe18d4ae134f353cfd79830a8ca054a2933d196cf2f3bf7f4bb0a90d8bb2563dba17e41beb8d1f9779a7ca52dd928f3f0559ee86997ee729ceb3610cb0c5e8edb486add31c6bbc616cdb8c4ba0c64e663b9f9db01845039fe41177573ef6da90206f39a67f4b24da6898dab1e198022ed06a61204b5c35192a59bbc7189fa963f80385f58c448e2d83051dba69e07f1bae010"], 0xffffffffffffff26, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) r4 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor\x00', 0x90080, 0x0) setsockopt$inet_sctp6_SCTP_INITMSG(r4, 0x84, 0x2, &(0x7f0000000080)={0x2, 0x401, 0x40, 0x10001}, 0x8) fsetxattr$security_selinux(r2, &(0x7f00000000c0)='security.selinux\x00', &(0x7f0000000100)='system_u:object_r:devpts_t:s0\x00', 0x1e, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f00000005c0)={0x0, 0x0, &(0x7f00000002c0)=ANY=[], 0xfffffffffffffe9f, 0x0, 0x0}) 00:58:49 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:49 executing program 1: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) r1 = socket$inet_udp(0x2, 0x2, 0x0) close(r1) r2 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r2, &(0x7f0000000040)={0x11, 0x0, r3, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(0xffffffffffffffff, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(0xffffffffffffffff, 0x0, r1, 0x0, 0x10003, 0x0) 00:58:49 executing program 5: 00:58:49 executing program 4: [ 379.635696] binder: 14608:14609 ioctl c0306201 20000000 returned -14 00:58:49 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:49 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, 0x0) sendmsg$NBD_CMD_DISCONNECT(0xffffffffffffffff, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(0xffffffffffffffff, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(0xffffffffffffffff) sendmmsg$alg(0xffffffffffffffff, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(0xffffffffffffffff, &(0x7f0000000fc0)=""/253, 0x24) 00:58:50 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000540)='/dev/binder#\x00', 0x0, 0x1) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000140)='/dev/null\x00', 0x402, 0x0) setsockopt$inet_tcp_TLS_TX(r1, 0x6, 0x1, &(0x7f0000000280), 0x4) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x103200, 0x0) ioctl$LOOP_GET_STATUS(r3, 0x4c03, &(0x7f0000000080)) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000019ddbbcca4d746f85000000001800000000000100080000000000000000000000000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB="044b26cc70bbe9fa"]], 0x0, 0x0, 0x0}) r4 = add_key$user(&(0x7f00000002c0)='user\x00', &(0x7f0000000380)={'syz', 0x2}, &(0x7f0000000680)="c1f39950f7dd3c3affcb8cace07801aa8cc3fb6807e2683145975758b2672cb1b485ba55b6d29a2696fbdc20bbc648afca03dfa2a603147ebef1b894216c54d8d2283e9d172358e5a2a0718273f55c0830905c8c1f7be9136fed950f7e05b82e7303c502f9a9929273572dc24c7e7c67448ffb1c6b666b8da014255811fae57848924805c2d16391b8825b845403938999970836af922b674dfee7e6d85648d2a2b001fc70a739f470118c5935247a4f278bdd309ed17c0e2916c30520d0220bd2e02511d1b44ec615acd98956592a523e0b3de0ac8019d53a422fa6d02b2713e1000e75bac72452576b524b01ae77d1b581ac21dea98313e6fa49049ebc6c70952433ed3518f4c97b4762c9cb99af76cd39a1a8ef1052aabb3ef3104b8e133a83896ca74df164460afd7ced6fc1ec2e79e247d4bd43a88ef76e322e19f019593ac7aab794aff9c7103a7f5c3002f5439856a31d70df4c1ab0c75e1eed91d5524b92ae5314798d561d7257ddfcc49a62c432a31e284ed558565b3d87a560241caa1e8c39d2b6be9e11f469d1fac66019cb75c8df13c63f10af6a1eb8afb4691d9bfc84b188f3d2dd0568c1e10e2e0e2535c9082c4d4462c028bac38f2f6f8fe15754a1a5b3c2daa2c1e63c87d9cd0c57c4fc598c9631a5155b8333255824e75d741001d6301349c78321d96f7930de696adb6ac114474383910916ea1a32bc828bf819d78ae81dd78459757e6b370651006775afdca36957c12c6d6a17783ab4c2f3061264d80b1f091eb15404e326ec8e30efb50722ade7f6fac866a2dc3fffdb767600c30e9f465d024d650eb6ace9268cfef3bd97518181b487410efa2bb63632a69afbad1a4be53d733e97ef3b611547fab6367dabd3ed74cb094428754fe87f885af1c2746b54327bf84ded0fee2089c0323de6347c90c9888b3d4e9e33410912e0026babe1b121ed92ad0cbd9aaef788a32c710741ca9a7840e6c75c8228facb01d5e0d6d617557c100dabd6d47053700d0b1e4f7bb7e63e4e81bf4654e90d011b5efac25e98b7078728ebae80f57c47b0695b7a97c66a07b2c6c203801a6bd8da684e3cb3941d624c0f9582e40e6928b8a807f647ee485e964f8e43d831267947632a6a7e039bb5c4c342cb78bfffd3b3927dae456139c5827f2cf608ec9ca6aa7c2b7405524945c91419adf481889755aa47218641a707eb227a26420d5a79340cb161cdc8e47d53dbbd71f9f0d8db95ab4d57d589d94ebfcdaa29bfeb81ee48a89ac3b5d16a623bcb3057ef322f53469e99516bda866195e967464ab5ca4154e137ae45b71025b88e33923789e42783bf4f855ba90f40da23835e082c5d4b9d1dbac724b421777404812921b5cc19f450ab382c3155dd227032c881f2fc8d43c3c9bc606f21b73914e1d811c9b1ec14e19e0b72c9b66fb73c9208497c792ecfa43b3880ff884c16e1d4e7384a2298261fca0e646e58ad92bb9f76da38af0edb7b83aab72d2acf38645be508d58ab310780940c50136c00ee9aa9f3f89c1d603c6dc4531673ba83fb35e9660e4575dbbf2c0ae050e693460fcd09c39ec9b5f223dc71ea6e0b626722328cb27aa830956d8750922f9364e95cb157233ecf6ea3f6eb66d60f43b2e52a2f396b7f0da37f56a5581baaf99d004170a303265a83017543de0ae6e27eb6f4b96506dd6b3befeec33b830f93e5133b3b9eac869307f2330d99a6b981c4ed7ca5fe4744f2613811ac88db599802bbc9c7ad111a03d260ab7c4168d5fad4d2b107f20e90bb22fcb29f8464d2af8acf588b214191bdc92ef808c80bc93b6481dc3f92cb740051d5a41ab7d031a77c833dd3d57103315236d06f6a126baeb68ba3d9273e62ea9bc19f9cafe619e6c7850f8aaafcf15d7a6120a3b67d87c09bee9f9972b95bbd1723f5f41730b9c6fee6e01b6deb0ccbd32c6092e74432371b543f57fb5aaa215530729340f0cef3e4c75016601fd4d23cb6d8142f40cbeaffa11d7968e3233c0aa7dbd1cfccf99babdae7f98fc83549684b421df5bd403f563e41ec5ffb1bafcfeda5f76c4215675120dea72d95ec750e7cbb04d00811477912cf124b3daa144c52a7087af2445e6db1b81f31ed0f63e6ebc1cde7e5e1ffcbbf6edf4690341f484c4a40830f014c042379356cad5b44c071002d83dfd5d4fb13a291aea9efe435f513e06e829ccd3916ca0210259148ba23b1509d0322592eccdb5075e0ddc4d0a74193f23d27b970dd8ed061366e3bcec7fe3b62b6e8256a58d32d0bc798102eb87b015ad318eecc0fa7b02e0a80feaa0167b98c17393e885cf43e9ef29d264e351901893e29bd00370e26c5aed59b0f0ce8bd3eb3d37be77b0d0e66ed68700334476c107f6437ebde3bc77d518f309c4705a024e630a41f9710c15f9e1dab2517774cfe5693d37555fb5bbfeeb4c1a1e3ba27e1ca4d77ce83636b59a84e2d1a7bf40b970fab7620d5d4264579fd18b8434e1dde8a36074397e0f18ab0eab2d34d9129e982ef8ef00d3001e26ceab710bd80284b79f18002f8ecee3c4a189724bf343bb08373caf8364f413e353ce7d66902bd97281451aaa5bcb8595527f270dbd04a2be6ab2504f89478619fe4b0357c1382fcc8280c9c31e580df01e1912871678290356672f4b2e4047ead75513f16c1430d241e7d70983f4a8b921ad2d45e1c1f89cdceb5c1c630c9af9233ff6d2ea47323f4dce038b41025652899616cae999893589a9b00f705a7fb584ad2e123e7fde9984ff0268b77ae70d91e9654824b1cd0eead3f9b0fb28ebc5c59e0c785ba5e91309dbf37b4bdf6a65a100a0224870b18a0ce324f1ea9c37b3e7a7ad3e280135c62ea9b274e4f3d1968a607b094151ddad825d1e22b9160c9b00a530e155b86d739c235bd41f9800d0e1cbaa4c6b4fc6a50d152a0e1a01a7428cf2713dfb40433c1caecedc7588a7ee849894a8d717dafeb86821362b4fe9558c90eee42a9b8201dd666e473c7db1895af3cfc8fcc96920e142c201567522e2a46b20238aeeb62761a6186975482ae5e91bb4643072fc5a9e147943a9a5f701cdac50685aea922bc16ed729d16a6ba8d570496aeb296a04bbe5dcdc784816bc36458396ae9fc5f8b8df4f3d424116f8368699b5c3542d0f2870bffde3b95b901d7b8a7cc3bc7241a2d359c8f3e41714982a825e097438cbafd9df645db73a57bf52f16fad1c5befc2ca5bd4c1d10b0e3ae8dbf1b5e9092c09ad6795305cc8e9899424ec63449f41b8c4578f2fce10ed76b2f6a756259dd7b1d479bb8ada97eb1dfbe9e5efe96b6a7d89fd6144cf9b2b255d99317eb4b03ef37fbb2b1ed9e047bf101cc889b5007e5e2ca29f4544faf800b9c4c8f6c833b0facd6741485aa48035ccffa7ca80800838e17251cf3a39c46b17b6146645f7ed63102a7d5d882b7eb46782449009e47e9fb9bed50e2e3b4981f5ba0d6cfda9fcde12bd607157846af3d9c80aa31bf6ed8484a8fa34863835d549cd990ed7a31b5fe72b7d7e892bee4e4a7806c9f4266ef7007a43f18c737c3d4ac06c3ebc584e2cfef0bcd58edd3b538efd6ca53bb3869ab2652067b30ac3eed51dda083751e59972dacb2f418790bc69fb197193838e2b0b151e10186a5ad3efdc499d31538a15b17452b71a94d68b822a514c3f38a6b2a44fc59bf44039ecbd1d3255a174774da17be8fe7c8382d3d29bc133b47bdfe7a5f3a01eef6f6ba73b195e1a676282dc7c4e5bb651e0fb9d309b1a80633cd0d455a286da482b864bdf186af691268e1d63ef8c52767cc5b6dd54b255aa81149c31ec9f050577af16480f595c6b079ce6c1efea24f883c7da70d9e4a9effe87634c59fade22e0de5dc2a1c4d30c3bd72f4785fe6f5769dca0f66c5888c4ff05c27751a1c6a86f150a03aea878c64ec582704323e8e88d40298eb31a56d0e81abd0427c1274136b3ab9cf9e895103f6e6b768fde697d704109716bcb7ace2f0ac5e8b01c0c463abe16551ebe6d9ea3abfeeb09f8d86ca887d55d6ca0051072f55e6e796836cf2e2c000ee133c5850be8809108ad7cd54cff8bdd2ccb4eb1903642a9753db9098abe6baec450ab3ce0848c4f3b24fde7d9f9ffcc277da2b9a91a47330c7e29c63e56ad94d7f13f1e3aeda44d112c617134488235c5085362fba3171bc4345ceda2a123500ed36706e87593585c0b79e64c37c03311980f5de966c98861342f1ff184809f38cfaddda0f954ca8da25582a316aa5d6a6c45541573b9a2985538a81bd4f3560ad39d80b16215ecf4af2af126237c8c483fb15d44ed7e4145525223320f36e49c1f1700cdc62c7b659919abab298c74a69c048cfec4f31370c364a1b2458ad70b7aa31eea8ef2f1662ea5383488088f5ce8b2940d9aab792ffa854be8e6d196c9aa5d5e5e9ff34e2a4ff6140a82bbfd7a876e790ba59be6b26f6187993bd5a8b835029f9729a91c74a57e409a462766c835e42ecb0c90a16e4c3c6742ade9dc15c5aef644becbbb85c398be9ccad9d7e5243178c5ec91f412ad21a1aa2106a0671ba9c7da49459303c2b0df6f7574bf114187e2e5d01b87f97bfbe952f472d9912b0072e0c5e318e418860f1a8fb51cb9b933eaad744ef65168ea8008eef5c3c761fd6be232d7a82feaccb56ed2b24808607d1e944e93028cfab4a1a13c6c8be6a5aab9fa2baf6d2c6a4bd6eb0c800fc8450f16873012857543bbfa8909ec2e387aa83f642d0c7912df1acd7e523cf62f933ea223ac0643922cd7154d3e8cb737d4af0059900bef9c17e3128c127484b1207a45791ca31b0f52902dc7b61eb4e61097aee8761c2ac41bedd1c8a3ac4174330331aa5c125a3980ebb9feb19c452436d487d9c9f7999a46b9e4ee180a557c1bd521eba22c4524bc92c7ea9dd8ba0baba93c60467e9aa28f826da136ff326bb5cc39fe1df2bbd0bdcc3a9dda243810bc7d6867712057abf663d4e351c09a5634e5a98c27f9ef960edec565c7238d0df8d86dd752c16023b2d91ec88a24bacb1bc4f90ffa4e9bdc8bd76e579122c01c6f66669428a6f00d05e100d861707d24f5029420c3b411a25b893d5a6babb8df7622af0fdcfaa028cbc55e103466569a7ecfbdb31dd0a5ce4a8836a271a947c9cc13f0043998fbf2bc1efd39cacbd4f6e932f4eed7d15141ee3b1622c2f611a4c921480ba59708b428fd3c57542ac550eb9c9573dc8a8ced29bc9f17537ab7bb1751edc09c4e7889deb81f420640f82ed7cae122854327941f92a1cbbfaed4ffda7a34c0def157941bd09d49a59b52417925b5e2fb2c300a03171ca976deb7686d556462a83a67604ffd6681c441ed6ef4eb4874f7128ea4e75da582cd2ed65f052a296758e37fb32ecc7b8f3f9f09b13e719d5a6847d40d44538340ce2a8cd574e29e43548d525e8d6b47e4cb503301a4524b37afaf9f6c08ef33f44b3b01a92468e25903dc9829286aa4cc0f8764721360d0235ed34b08124bce4d05f82eb798eab1f08bc5ff8f9afff70854bab2a747eba83e983b24f6a75ec03aa555b179a0a22d1f9e45fdbb8dc42623a3d2bf56b3e0a8781e2b0d4c7022874643836340f92b00c37f559c6c08f73af25349aa4bf9b97599c6e0e0a560f4065ecebd77cdddd823712e74df3e78321eb440445ff57a1ff35064fa01a92548985367598263d9280d2bfe25f14cf7d4e0bf55b752eb6c9e00c0740273e74b08fb181d0a6623427cc5126c91add55dcc4cbd8c22abf1352615cc949e073b46f5b71868f9aab55b7bd1e3d903e96490b2f4b93f01", 0x1000, 0xfffffffffffffffb) keyctl$KEYCTL_PKEY_DECRYPT(0x1a, &(0x7f00000003c0)={r4, 0x400, 0x80}, &(0x7f0000000400)={'enc=', 'raw', ' hash=', {'xcbc-aes-neon\x00'}}, &(0x7f0000001680)="d285b5e692368ecef40a53f272a607edd06bf09c955d4a813822e5bff6fee231145972c0c4497c91f9ab3f27a28b670957892a14d6210dae80d1e589492ad7a73622ab237aa77b34c3f1d3afe75945ca1f92ce5bb2367963ef8473be53d812ce33bcad9a1ee10fb6de1d942524e7f53e99ac9b9a13765feabeae32c2d29dc45e2dd02aa2b460ffd1c6fb437fb6ce7a8e55e1aa51e82916c32a98e86dae29a761a0ed7d2daa6dff6f9be9b68b131a0897eb333a0d736a3d595f9c0fed8c52a06b4a025815383dee249e4a569326cc67ff970b6b6122856c69e6f4bdec33220ce33f5cb3bb3b24da105dcd10090dec7bad5b6b98f66a0398061089f69d70ad0c9249ce64f67255dbc881b0cfe6ab42f3745fa0b48b459760b7364deed2a5a172837d0f0af94ed4cee7dba069bacd3a516671e384ff95392c1bd54e39918530f7afed22d95d167b7359e52f8084f551190b9c825daccc9f0f5e8ec6cd6bd810c3e9972f1a33cec59649874e57bfc76624e01c38b5db52b6cbc0a76ae393b4bfe7ec46ee674e425b62072956ea56b87afb8499d326dc1c54032df16440413b4493a1b1f8b369a79c09be3c48c4f5b91e4c2fa7e470e06da39800331b3f52f81b11438a3f7ce4596d23b2f3267cf092ed46a7ca19c0d0e316151196cdbf35d29fff85b3d750cb569da45fb94beebe95586ba537a6b6361e154ce83c5cf2015605c05b6cb123ebe2d6a198c7858c6a84bbb508aa66d8ca19b5d2a0dbed427dbb080f3f32ecc25f7d7abd7684cbecf50eec97299be609b5afaa4fa0cbb5a4521e5ded4620b0e51a4138e70dd70b5e97a0b0f800d2f6273a4e95882c153d37db1ac52fec915168efe25b6d0469e2b93f12e0fe945588ccb0911846ce6c6d0e4ebda997393a8ff87925ce48c56ce691861f1cc83e7670033e6f4f09e2d80ee03381902232a744f6a1839789c61ec414279a800fb2348054659f21fff943af0717cecbed7fec557f8fc27c5a771ec740633aee59abf026da905bb857e26126e84f8d564b7477f4bc7431e2e8dc0cd94c75034d2e54665e2938f56c60cff8a2b89ce83dba0c92b5d460a31e84e8d2f2e7061c5e9dac8ea7be96561f2f0134d67218bc2526000a037c110707d970eb318169492208a74b9e4ee4e4e9e4a46b42b71f181bcfd6864fa145d989baad6ddcbfb23f990a48b2b8a74f1dd93ef897cea8ce44ac4341ce36ed9a902a5e09dde524e21e0e398f8c45ddae874313a45257b45fe084637ba360821a846000226fd627db890f0f091dbe8e8eb251e91d13a67716b616ccb6614fce19b9e3a8ef125993d6859a9bbeb405f1c34093f6188deb30ec375e6aa6e14fb4222b366a87489b6fce7df3ac0ab8a130d1458d3d01e1025bf52221dba09a57741cebbec080394b7ca1c989dbe5479ed0d8c83410d9414d1a87b996eee04c1ac7d0d5fe2b9c18bd9871bb356c62f0039541043c1fb7031145e0212ea227ec0b8b180379d22327b1c6050503ccf11acad35f281d19703eaa66530848a8bb7f9b69a48289499eef59004d7783c1067d3d85bf5a2672f60960dd15b700f477f9d5a48925bf72067d23382d8afab5eda7a701064f62ca39f62063e0eb2d4e6c7c4fa45b2944ba976f3e4cc34b77aeff61ad1531c4d400cbd71429453976562fb902d9cfc79a5fc028723e18c7ae169fac888a1caf4110be2d4935ae9bb5872c101df5d41eae9860fa472b42cd35f2bf2eadff453a7205d7f456e92d77152ce699b11a569f8e52aae872897a12eb6051119d95e46bf4a0988f197ffd31ecbb822a3e3f547052fb2e9d5574b508c9492360a08067f1d4f86e4c20d4663da8b558b76f9258bd5eb33d7f44757fce7bda924dc69be7d05b5c33490f01545b517744e5d63e044210f926498a1f6aa0379d0e19a8d45e11e2594240a8f6e98a328f53bb519e29dede0e44e9f166fa7454ac831eb86cfaa955c0a7ddf03bf552b1fbbff124b9080e29d3b66a788aad02f3d4990aca3489440de925d9265d65df1b4e354e03f2efbb7f816ea897c668df43be09e86152f6a90692f68fd14182c40af0e5d599231b460d4aeea4512c53bcd5441471eecb7c173152eab7afa60cc730b1961fb0c884a53a9475ad1b31733d871e49a52740cda789ac66515f894090dea1c1a1dfb74ec814e4b3f222ef0498ccaa70871b017fe7666a891ace42ac13726f2b7215c2ab9e5c5b400abbee525ae9b26efae841d8e5fb5f9540da3a98a1a91c74e9c2e287a590db957fc6b0cbdd3736bfe2b5ae073952e93a736412d9018f17e929e178a95d3c7e72ffd819b21ef79480575192a265fd9612562ed18828167c988eaad06f747b79e758a4f540f91fa2158ac483e126289a1160d1cb93f6abae5335746eb6138eabd97fda73d5e8a021cb72d4c34c152d758bce86ac7d68d4bbb8de8ceb78b61b0c1019c7fecb7d7af8988cd7a0737d1147410f073117810a41c0631649f4c1d2c8c1280472f284752f134335e28d58a6066c89d6616ae994b6d84c7ef70767064ad5d98f7751eea77d4e4a2cfc6790d8d211fd27d08ab920f9bb8d7cef1f2e7fc764d046100fe206319ed9715bfd1da3345096f4e9666886d04c1f143ee16738a64708c9544c8301fa2d127fa64d7c46296baefec4e1b799ba60fd220a1e5935808790e81a1aa24bb27889a9486a7e55abcb92d43f565ad4504bf0eaa95000193b1657ccaea00402a9ca5e2a92a1cad0afc3f75af85191706387ecc9c9c6f1204fe39c803c6cca93bac8fb09d380986dd1ec8176c3fe0778f4dd1c11fda12b23725f7d348020d21557da714a8794cd76c2ea0054bd517d793ae9bc45dfaf9d51c7b2b99ab4340a56a44b8a979f8e02aaf7a2e88669520dd2ab7e1636249d0dda14ae034f3e40aea89d9e399f75a10dfafcd9a61a123c5cdf8c53e86d474275dbc77763297b8d5ffe346aaa59f90751806a7e147652d740939c514fa1f50037b218e16bc86727ed86d0757460e2e56a139ef7a79209e52b24c29c0cc9cd6e6260fa1b8d9e035dae6209427cfea2f285c4be9b55d2942e8d1276248d4c54e6c7da95b687812799400d424a3431c38f4b60af7cf091644f492077938c40b23731a6652e89a825d688c830463d9ad00218da5ac348ae5a3efbe17ce3a974b330bd17dfd1c49b28e2f69cf94c2faeb3639fc235c88d4ebda9364fade68541bafb0f465e1b8ef594b6711f8ec4ae402606d837622784852daae0b9aadabff94eb31dae83767c5c5b52f22f9d1e53d98339ca8366e234afcda7156a617b2b24172bbd1a0a15a1a5e68fb75577192a88e1c554bc1dd77f9440fc98a1bf9881f34ebad91a4292838768d74d70a7e086312f4ea73e1fa2b8cd3351bba45f1df46c6749ecb4e878861fe3f88ca9730dc808315e473471f7435e29bd7da71d96bf6b1ed0724c298ee166e17734beb14f96e849728afb2a2caa70e78f201059625f72122ac7f2a7b84545dee850444d8912328e2e7e5a11142d4e89dc7043282d6847b92a389962ebab62c9fd89ae59068cf2df318668e272a504f183b647e7e936d8ffb37ddbd98d943befc1ace0190c1117e285ccbe09567587462627d5a77a8e77061826271affa8c1f2f73e9a81a6e49379e620ee9a05ec405b63cbe60cba2f517baf5d3de2e317b5d09fbc6c44d2c6b2b9e4a27f040a6a5ef76308f13f335f0a387e161c6fd67134c94a523dec493020815065d0bc2b18ecd976a9f9eebe17aacf3c29bbed23f1f70ee1fa584298bc690d7543e98d8f92985c40d718fd5b7b0f4ba6390eacd420bfec88bbb212c7f0b8736f50dccb3d05343d220bd11001f18ce98025a3dd96f41297d516f086cec241587c3d66e94f4a4f2a090d13e05953e0a0f08e78769fb230ab383e7985a42c0b393feff635b7bd4090560f00d3e752e0d9a70b1c1f69f3cd9d3290f9921b1af9684b132d57c91ef98a39e12373a54dc34f142c32ed93fe9a5ecfee571be4155f7a1ff281ea63ad02ffeed8ba7d2b1a97c336feffbf5fa0152351ffc4323b69e2b41b7292056f32d55e07ee6a53ca1481aec92b019b92fffe15688297b5ed74861110b57944f35c9edfa904fc17ac437ed39efee9473987743fcba5471741989ae39abf8f9e22d3be9e234c5bd46ebdd395ca904dff2e34792813954e3227e45cd4a06356e62b6960bb842a7a4b93bb3e734c89936f4ec46e0b8b92b2b1963320db91bf4445956327635279750e7a3a2a8b443126de6f6f2e48b6b28021a962843ee725006fbafedbed29e05c1044104adbab8b1885161d9fb7c514c14f6acf9b5363a33648cadadb5cbd42ea5bf18e2d242f3dbbe59d0ffce1db7d2ead85d8dcf1cd6f3e461ae18777ce121785842ccf8ab3b9546c96c676ff899c32c0091efac84a9fe07165639298da98e7ad6914689632f64b209aab21960be7087764e1f7077b883557111a45253c3d2a1244657a9e3738d078ecb44e951d4386a2fb3fbc65f48d99ee347ae2d70ab2b1014692134a40d7a173b6d7a35e5a90902e9b2077b8384a9458698d2bdc3004d48291321cdaebbcd22d575f33ab0ec116c47bb43c8ed81d46be883b9de4b4848070c840025d044cac67368c71095eabbc0ecae447a0cf2dbfb57107cc6e1fcfafdb9cb8ae2b77f6d2d59079ea64a9dbf32400fd83ba2b8856558a4a5bc1c29624c240f6b91c780781cc3ddc71b072aec8b81d33e6aa6296260b2fec3905eeef5e88006578cd8046e6ddf94a8dc0b54897bcb18f660e79a9ee0c29d657cc0f89701912e9f8a2d466be4a653200c428d32a03c8637db3aa5f4d153e93365a772e5aadc427300b33ad75c955ac78141394590e28a3e09a91b8233326eeb43c6ed7c0b1bd9203f363f44df88e499d33d7cee5ed6a28472ebcd3dc11a68b36aa4cc5e35a421ccf40e439e6275768a2935fc8bac2f618432d8f6500c589f63eddb00bd8c308f988db8dc1657f45fc7a6989fc9bc20963249c1d94ebcf3af52b9455b97f2acc9e7912301d2ceee9ea2fdf036e01d7bff88d4e8ecddcfd3ef1356e8f242786df3f70d044bff7a51af956e7537548bbf561d14adbbc4c162f6540c42ae8bd43f347be2adb8874957b5e35f0b86e1007eb85a360f380b5a0dbd538b6a01258dcccfc6a1299912f052ac98e1ce1d0d8dae9ae3d5c450aae8824408fbe07132e1c91f587acf16544eb243a7411d8a6dbe085a118fe7b72f48fabdd2346272a19dd3bf72d9354e524baf99cee3dd9a098cad0b85b4d934365b25b20e278ccbe7c4e02d3be7a2507f477bcc8214191553c473c39234ac81990f7419d8ddfd189dbfe2771b67a665fdeed7ad88b5c2136aed403c55f7c6926af99fa28d4841b3bfde2551cad6574bf08a1a6de538524e6e81a4b4356b15cc475957b15c760e4d8f1930adbd2790a60fa345d729d432fa5e9a23b1cce48ee8a7d7fe0b7dd0b6cd4e610fcf8bfd697882482a3a16f9e70e7f687273be88d589a3de59d47cc55bf6849acc099b01b57c555461ac53ae292943659da50b6969af0e7ba50858a51b2069319d0a3cab563c7d7ec6596f1026cd0cc4c4f77a0e942177174d85d406301372fdc45fe6e99446150eeda389dd98ebee6ca6da205a63d42f24e905069fdc749baabb3c85b30b3528ecbe55be50b4bf7c144b17f8668d9721d320af223996fec02016e6d4557f83ee3e5a3bab2a1732a9804a2070b4733899204db2e15fa33e1e86c6606b8c270b61e3de3975cab530129680a9d4b693951d0ae2cdc88a04a08412a37", &(0x7f0000000480)=""/59) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0xeb41) ioctl$TCSETAW(r3, 0x5407, &(0x7f00000004c0)={0xfffffffffffffff9, 0x40, 0x0, 0x4, 0xa, 0xb4, 0x6, 0xffffffff7fffffff, 0x5, 0x7}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) ioctl$PPPIOCSMAXCID(r3, 0x40047451, &(0x7f0000000180)=0x3) 00:58:50 executing program 5: 00:58:50 executing program 4: 00:58:50 executing program 1: socket$packet(0x11, 0x3, 0x300) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r1, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r0, 0x0, r2, 0x0, 0x10003, 0x0) [ 380.152706] binder: 14627:14631 got transaction to context manager from process owning it [ 380.161192] binder: 14627:14631 transaction failed 29201/-22, size 0-0 line 2887 00:58:50 executing program 5: [ 380.306122] binder_alloc: binder_alloc_mmap_handler: 14627 20001000-20004000 already mapped failed -16 00:58:50 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, 0x0) sendmsg$NBD_CMD_DISCONNECT(0xffffffffffffffff, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(0xffffffffffffffff, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(0xffffffffffffffff) sendmmsg$alg(0xffffffffffffffff, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(0xffffffffffffffff, &(0x7f0000000fc0)=""/253, 0x24) [ 380.356069] binder: BINDER_SET_CONTEXT_MGR already set [ 380.361500] binder: 14627:14631 ioctl 40046207 0 returned -16 00:58:50 executing program 4: [ 380.438011] binder_alloc: 14627: binder_alloc_buf, no vma [ 380.443794] binder: 14627:14641 transaction failed 29189/-3, size 0-0 line 3035 [ 380.465272] binder_alloc: 14627: binder_alloc_buf, no vma [ 380.470963] binder: 14627:14641 transaction failed 29189/-3, size 0-0 line 3035 [ 380.539034] binder: release 14627:14631 transaction 1009 out, still active [ 380.546278] binder: undelivered TRANSACTION_COMPLETE [ 380.567150] binder: undelivered TRANSACTION_ERROR: 29189 [ 380.572841] binder: undelivered TRANSACTION_ERROR: 29189 [ 380.578358] binder: undelivered TRANSACTION_ERROR: 29201 [ 380.584744] binder: send failed reply for transaction 1009, target dead 00:58:50 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:50 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$admmidi(&(0x7f0000000040)='/dev/admmidi#\x00', 0x7fff, 0x80) accept4(r2, &(0x7f0000000080)=@alg, &(0x7f0000000100)=0x80, 0x80800) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=ANY=[@ANYBLOB="056304400000000000634040000000000000000ec5b71e000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000007a130000"], 0x0, 0x0, 0x0}) 00:58:50 executing program 4: 00:58:50 executing program 5: 00:58:50 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(0xffffffffffffffff, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 380.880293] binder: 14651:14653 got transaction to context manager from process owning it [ 380.888980] binder: 14651:14653 transaction failed 29201/-22, size 0-0 line 2887 00:58:51 executing program 4: 00:58:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000001800000000000000080000000000005f2d58438ca10600ef9bccacb825c25400", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:51 executing program 5: [ 381.076301] binder: undelivered TRANSACTION_ERROR: 29201 [ 381.082122] binder: send failed reply for transaction 1016 to 14651:14653 [ 381.093440] binder: undelivered TRANSACTION_COMPLETE [ 381.098656] binder: undelivered TRANSACTION_ERROR: 29189 [ 381.209735] binder_alloc: 14666: binder_alloc_buf size -4087878520958746616 failed, no address space [ 381.219203] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) [ 381.228745] binder: 14666:14668 transaction failed 29201/-28, size -6805990890866278400-2718112369907531782 line 3035 [ 381.290746] binder: 14666:14669 got transaction to context manager from process owning it [ 381.299426] binder: 14666:14669 transaction failed 29201/-22, size 0-0 line 2887 00:58:51 executing program 1: socket$packet(0x11, 0x3, 0x300) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r1, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r0, 0x0, r2, 0x0, 0x10003, 0x0) 00:58:51 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:51 executing program 4: 00:58:51 executing program 5: 00:58:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_open_dev$sndpcmc(&(0x7f0000000040)='/dev/snd/pcmC#D#c\x00', 0x7fff, 0x3) write$FUSE_INTERRUPT(r3, &(0x7f0000000080)={0x10, 0xffffffffffffffda, 0x1}, 0x10) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:51 executing program 4: [ 381.488412] binder: undelivered TRANSACTION_ERROR: 29201 [ 381.542871] net_ratelimit: 10 callbacks suppressed [ 381.542888] protocol 88fb is buggy, dev hsr_slave_0 [ 381.553615] protocol 88fb is buggy, dev hsr_slave_1 [ 381.630003] binder: 14681:14684 got transaction to context manager from process owning it [ 381.638706] binder: 14681:14684 transaction failed 29201/-22, size 0-0 line 2887 00:58:51 executing program 5: r0 = socket$can_bcm(0x1d, 0x2, 0x2) connect$can_bcm(r0, &(0x7f0000000440), 0x10) sendmsg$can_bcm(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)={0x5, 0x0, 0x0, {}, {0x77359400}, {}, 0x1, @can={{}, 0x0, 0x0, 0x0, 0x0, "934341c138c7f1bf"}}, 0x48}}, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") sendmsg$can_bcm(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000480)={0x7, 0x0, 0x0, {0x77359400}, {0x77359400}, {}, 0x1, @can={{}, 0x0, 0x0, 0x0, 0x0, "197105f76ac7511b"}}, 0x48}}, 0x0) 00:58:51 executing program 4: [ 381.865296] protocol 88fb is buggy, dev hsr_slave_0 [ 381.871221] protocol 88fb is buggy, dev hsr_slave_1 [ 381.902613] binder: send failed reply for transaction 1026 to 14681:14684 [ 381.910178] binder: undelivered TRANSACTION_COMPLETE 00:58:52 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(0xffffffffffffffff, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:52 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:52 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000040)=ANY=[@ANYBLOB="000000000000000082b9ed04eb50df3da305eaec0c2186099c7323fe3dcb545bab400a5d067d52aadc201a043d972e0ba8b5544ae578c7f29fe3682006d493646ff15c563266930f85d31276b991b2d9b3ac0bbd823a79852f963181a8c143ca03e1b13afb7c9cfa16af9d4b339f620d621bbe00b31104b6276f401cf1fef682d2214175047d6f4f901f2698a1a270205162b9f44624a68768124f4048fc7887bcebc663cada226f904093369faee305336f2711871121b0221adaa9c760a09098b25776760176"]], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$FS_IOC_GETVERSION(r0, 0x80087601, &(0x7f0000000140)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 00:58:52 executing program 5: [ 382.057911] binder: 14697:14698 ioctl 80087601 20000140 returned -22 [ 382.110055] binder: 14697:14698 got transaction to context manager from process owning it [ 382.118545] binder: 14697:14698 transaction failed 29201/-22, size 0-0 line 2887 [ 382.288555] binder: release 14697:14698 transaction 1032 out, still active [ 382.295911] binder: unexpected work type, 4, not freed [ 382.301311] binder: undelivered TRANSACTION_COMPLETE [ 382.306615] binder: send failed reply for transaction 1032, target dead 00:58:52 executing program 1: socket$packet(0x11, 0x3, 0x300) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r1, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r0, 0x0, r2, 0x0, 0x10003, 0x0) 00:58:52 executing program 4: 00:58:52 executing program 5: 00:58:52 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 00:58:52 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0x0, 0xffffffffdffffffb) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 382.483597] binder: 14709:14714 got transaction to context manager from process owning it [ 382.502788] protocol 88fb is buggy, dev hsr_slave_0 [ 382.503535] protocol 88fb is buggy, dev hsr_slave_0 [ 382.508372] protocol 88fb is buggy, dev hsr_slave_1 [ 382.513393] protocol 88fb is buggy, dev hsr_slave_1 [ 382.518705] protocol 88fb is buggy, dev hsr_slave_0 [ 382.523749] protocol 88fb is buggy, dev hsr_slave_0 00:58:52 executing program 4: 00:58:52 executing program 5: 00:58:52 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) getpid() fsetxattr(r0, &(0x7f0000000080)=@known='trusted.overlay.nlink\x00', &(0x7f00000000c0)='GPL\x00', 0x4, 0x1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000001000000000000000000000000000018000000000000002c526b0800000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = syz_open_dev$admmidi(&(0x7f0000000100)='/dev/admmidi#\x00', 0x7f, 0x101000) ioctl$PIO_UNIMAPCLR(r3, 0x4b68, &(0x7f0000000140)={0x1000, 0x4, 0x3f}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000040)='rose0\x00', 0x10) [ 382.755833] binder_alloc: 14725: binder_alloc_buf size 141251144 failed, no address space [ 382.764489] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) 00:58:53 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(0xffffffffffffffff, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000640)={0x0}}, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:53 executing program 4: 00:58:53 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) 00:58:53 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = accept(r2, 0x0, &(0x7f0000000040)) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffff9c, 0x29, 0x22, &(0x7f0000001740)={{{@in6=@dev, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in=@remote}}, &(0x7f00000002c0)=0xe8) lstat(&(0x7f0000000540)='./file0\x00', &(0x7f0000001840)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f00000018c0)={{{@in=@loopback, @in=@empty, 0x4e24, 0x7fffffff, 0x4e21, 0x93, 0x2, 0x20, 0x80, 0x88, r4, r5}, {0x2, 0x6, 0x800, 0x1, 0x80000001, 0x6, 0x800, 0x100000000}, {0x7, 0x0, 0xb03, 0x4}, 0x3, 0x6e6bc0, 0x0, 0x0, 0x1, 0x3}, {{@in=@remote, 0x4d6, 0x32}, 0xa, @in=@initdev={0xac, 0x1e, 0x1, 0x0}, 0x3504, 0x0, 0x3, 0x1, 0x5, 0x80000000, 0x4}}, 0xe8) lsetxattr$security_capability(&(0x7f0000000080)='./file0/file0\x00', &(0x7f00000000c0)='security.capability\x00', &(0x7f0000000100)=@v2={0x2000000, [{0x4925, 0xfffffffffffffff9}, {0xe5, 0xfffffffffffffff7}]}, 0x14, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 383.086552] binder: 14734:14735 got transaction to context manager from process owning it [ 383.095134] binder_transaction: 2 callbacks suppressed [ 383.095164] binder: 14734:14735 transaction failed 29201/-22, size 0-0 line 2887 [ 383.203407] binder_release_work: 6 callbacks suppressed [ 383.203427] binder: undelivered TRANSACTION_ERROR: 29201 [ 383.214656] binder: send failed reply for transaction 1043 to 14734:14735 [ 383.224297] binder: undelivered TRANSACTION_COMPLETE [ 383.229524] binder: undelivered TRANSACTION_ERROR: 29189 00:58:53 executing program 1: setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r1, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r0, 0x0, r2, 0x0, 0x10003, 0x0) 00:58:53 executing program 5: 00:58:53 executing program 4: 00:58:53 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) 00:58:53 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0xfffffffffffffffd) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) [ 383.450896] binder: 14744:14749 transaction failed 29189/-22, size 24-8 line 2896 00:58:53 executing program 4: 00:58:53 executing program 5: 00:58:53 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000005c0)={0x4c, 0x0, &(0x7f0000000600)=[@acquire, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) io_setup(0x8, &(0x7f0000000040)=0x0) pipe2(&(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80000) r5 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000540)='memory.swap.current\x00', 0x0, 0x0) r6 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000780)='/dev/vsock\x00', 0x129000, 0x0) io_submit(r3, 0x6, &(0x7f0000000800)=[&(0x7f0000000280)={0x0, 0x0, 0x0, 0x2, 0x2, r1, &(0x7f0000000080)="01e4073c67078e9725028e8445798faa57239405873e67f7fb12bf6f646e9aa0705ea510f9d058592acff19967088f90178fa56cf193ab8c4ef57a338587e758af71567a4f3b62451905df74d19306ba6589ce5a0c5d58f126c93537fae118104b8dba09b30da2e64d2130c9dae456682dc0c1ff2e267a207b7b60f8df459c1f4706eb350d69e03b54b3c8fac49e105b782484f8b6bd8a", 0x97, 0x9, 0x0, 0x1, r4}, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x7, 0x8000, r1, &(0x7f00000002c0)="e93be4ef6c55e60d1a31a2ba75cdc9acf438c2d9ebed8684ae64ad5e65b27660e5926a8f14845b57ef46c2ece39b85bae3", 0x31, 0x40, 0x0, 0x1, 0xffffffffffffff9c}, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x7, 0x8000, r1, &(0x7f00000003c0)="eaa03c228ae0edb0a2b3b3ddc4bf4623d1f1c3107572bfa636835233ba0609c5fa41f799", 0x24, 0x4, 0x0, 0x1, 0xffffffffffffff9c}, &(0x7f0000000580)={0x0, 0x0, 0x0, 0xa, 0x200, r1, &(0x7f0000000440)="dab8ade5cc86bc0d3caac96ac992b3d86a99331fe4b195d38a67719946d91634db9383c478962301a3b8dd3840e7e461d67f62c72b149d1b14195ad9406c4f8a17a2c90d1b210732ac58ea5b34fb59606e86e5565222801dfd2f7c2513c241576c86bb1f4847e822b1601fccff6a95b6274914a53a4eec06d587bed81ba2eda4959011e2debc81b22f36e9208ea8ec98fe14d966dbbdd98fb8b0abe99da110a44fd3bec4121d4ff3c9b2b3d5187eac8a5031fa2cb9bccd971abec8a1dfe58bc62cd0161aed353392ce0f63572eba75b06025e08a4b4d9ff515", 0xd9, 0x8, 0x0, 0x1, r5}, &(0x7f0000000700)={0x0, 0x0, 0x0, 0x8, 0x9, r0, &(0x7f0000000680)="b6317b59559028c771334665cc987e889245629fe1161fb47464acbf9bc1ef43fa73e9d76d6f217187dbaca792f9ccdf34e74a74d9eb8c541cd2c1f2f23c1fe5c8d0ff74074270f572b8639395489fe1c1991bc1e091f205", 0x58, 0x20, 0x0, 0x1}, &(0x7f00000007c0)={0x0, 0x0, 0x0, 0x7, 0x100000000, r1, &(0x7f0000000740)="950a537a3b03236797567726773a205bca6767ce6603753ae9f38fca9e7bc21911357a29fb8831e920101df6ca97", 0x2e, 0x5, 0x0, 0x0, r6}]) [ 383.639209] binder: undelivered TRANSACTION_ERROR: 29189 [ 383.764092] binder: 14759:14760 got transaction to context manager from process owning it [ 383.772603] binder: 14759:14760 transaction failed 29201/-22, size 0-0 line 2887 00:58:53 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, 0x0, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:53 executing program 5: 00:58:53 executing program 4: 00:58:53 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) [ 383.896720] binder: undelivered TRANSACTION_ERROR: 29201 [ 383.902429] binder: send failed reply for transaction 1050 to 14759:14760 [ 383.910077] binder: undelivered TRANSACTION_COMPLETE [ 383.915362] binder: undelivered TRANSACTION_ERROR: 29189 00:58:54 executing program 1: setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r1, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r0, 0x0, r2, 0x0, 0x10003, 0x0) 00:58:54 executing program 0: 00:58:54 executing program 4: 00:58:54 executing program 5: 00:58:54 executing program 2: 00:58:54 executing program 4: 00:58:54 executing program 0: 00:58:54 executing program 5: 00:58:54 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, 0x0, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:54 executing program 2: 00:58:54 executing program 4: 00:58:54 executing program 5: 00:58:55 executing program 1: setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r1, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r0, 0x0, r2, 0x0, 0x10003, 0x0) 00:58:55 executing program 0: 00:58:55 executing program 2: 00:58:55 executing program 4: 00:58:55 executing program 5: 00:58:55 executing program 0: 00:58:55 executing program 2: 00:58:55 executing program 4: 00:58:55 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:55 executing program 5: 00:58:55 executing program 0: 00:58:55 executing program 2: 00:58:56 executing program 1: r0 = socket$packet(0x11, 0x0, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:56 executing program 4: 00:58:56 executing program 0: 00:58:56 executing program 2: 00:58:56 executing program 5: 00:58:56 executing program 4: 00:58:56 executing program 5: 00:58:56 executing program 2: 00:58:56 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:56 executing program 0: 00:58:56 executing program 4: 00:58:56 executing program 5: 00:58:57 executing program 1: r0 = socket$packet(0x11, 0x0, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:57 executing program 2: 00:58:57 executing program 4: 00:58:57 executing program 0: 00:58:57 executing program 5: 00:58:57 executing program 0: 00:58:57 executing program 2: 00:58:57 executing program 4: 00:58:57 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:57 executing program 5: 00:58:57 executing program 2: 00:58:57 executing program 4: 00:58:58 executing program 1: r0 = socket$packet(0x11, 0x0, 0x300) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r4, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r2, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r1, 0x0, r3, 0x0, 0x10003, 0x0) 00:58:58 executing program 0: 00:58:58 executing program 4: 00:58:58 executing program 5: 00:58:58 executing program 2: 00:58:58 executing program 5: 00:58:58 executing program 4: 00:58:58 executing program 2: 00:58:58 executing program 5: 00:58:58 executing program 0: 00:58:58 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, 0x0, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x0, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:58 executing program 2: 00:58:59 executing program 1: socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r1, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r0, 0x0, r2, 0x0, 0x10003, 0x0) 00:58:59 executing program 4: 00:58:59 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$IP_VS_SO_GET_INFO(0xffffffffffffffff, 0x0, 0x481, 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000100)='/dev/full\x00', 0x0, 0x0) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0x0) dup3(r0, r1, 0x0) ioctl$TIOCSPGRP(0xffffffffffffffff, 0x5410, 0x0) getsockopt$sock_cred(r0, 0x1, 0x11, 0x0, 0x0) getgroups(0x0, 0x0) gettid() ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) getegid() setsockopt$inet_tcp_TLS_RX(r1, 0x6, 0x2, &(0x7f0000002e40), 0x4) 00:58:59 executing program 5: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) syz_execute_func(&(0x7f0000000340)="3666440f50f564ff0941c30f0f441e04a4c4c27d794e0066420fe2e33e0f1110c442019dcc6f") clone(0x200, 0x0, 0x0, 0x0, 0x0) mknod(&(0x7f0000f80000)='./file0\x00', 0x1040, 0x0) execve(0x0, 0x0, 0x0) r1 = creat(&(0x7f0000000080)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x8) dup2(r0, r1) execve(&(0x7f00000002c0)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) open$dir(0x0, 0x0, 0x0) clone(0x3102001ff6, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000180)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) write$P9_RSTAT(r1, 0x0, 0x0) 00:58:59 executing program 0: perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000100)={0xa, 0x0, 0x0, @dev, 0x6}, 0x1c) setsockopt$inet6_mtu(r0, 0x29, 0x17, &(0x7f0000000140)=0x3, 0x4) sendmmsg(r0, &(0x7f00000092c0), 0x4ff, 0x0) prctl$PR_SET_SPECULATION_CTRL(0x35, 0x0) 00:58:59 executing program 2: r0 = socket$inet(0x2, 0x2, 0x0) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) clone(0x0, 0x0, 0x0, 0x0, 0x0) fchmod(r0, 0x0) 00:58:59 executing program 4: write(0xffffffffffffffff, &(0x7f00000001c0), 0xfffffef3) open(0x0, 0x141800, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000003c0)='attr/keycreate\x00') readv(0xffffffffffffffff, &(0x7f0000002340)=[{&(0x7f0000002380)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000000580), 0x3c1) sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) socket$netlink(0x10, 0x3, 0x7) 00:58:59 executing program 5: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)) socket$inet6(0xa, 0xb, 0x2) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, 0x0, 0x400, 0x0) ioctl$sock_inet_SIOCADDRT(0xffffffffffffffff, 0x890b, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000080)=ANY=[@ANYBLOB="01a66322610c9b5d2619f6ba35a683db82040000"]) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT(r1, 0x404c534a, &(0x7f0000000000)={0x2, 0x10001, 0x2}) ioctl$DRM_IOCTL_AGP_INFO(r1, 0x80386433, &(0x7f00000003c0)=""/125) r3 = openat(0xffffffffffffff9c, 0x0, 0x0, 0xe3) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) sendmsg(r3, 0x0, 0x4000) sendmsg(r1, 0x0, 0x40000) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000200)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x3f, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$TUNSETOFFLOAD(r1, 0x400454d0, 0x4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x80000000) 00:58:59 executing program 4: r0 = getpid() sched_setattr(r0, &(0x7f00000002c0)={0x0, 0x2, 0x0, 0x0, 0x3}, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control\x00', 0x1, 0x0) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000580)='/dev/rtc0\x00', 0x20000, 0x0) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, 0x0) getgid() add_key$user(&(0x7f0000000600)='user\x00', &(0x7f0000000640)={'syz', 0x3}, &(0x7f00000007c0)="dca3c74b87c88ccd47653a443b23f60d3dca0fbfc05354f40c0b13017f5a", 0x1e, 0xfffffffffffffffc) ioctl$RTC_PIE_OFF(0xffffffffffffffff, 0x7006) r3 = request_key(&(0x7f0000000300)='encrypted\x00', &(0x7f0000000340)={'syz', 0x0}, &(0x7f0000000440)=':\x00', 0xfffffffffffffffc) keyctl$restrict_keyring(0x1d, r3, 0x0, &(0x7f00000004c0)='TRUE') add_key$user(&(0x7f00000006c0)='user\x00', &(0x7f0000000700)={'syz'}, 0x0, 0x0, 0xfffffffffffffffb) request_key(&(0x7f0000000140)='logon\x00', &(0x7f00000008c0)={'syz', 0x0}, 0x0, 0xfffffffffffffff8) linkat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x1400) fstat(r2, &(0x7f0000000740)) ioctl$DRM_IOCTL_SET_SAREA_CTX(0xffffffffffffffff, 0x4010641c, &(0x7f0000000b80)={0x0, &(0x7f0000000b00)=""/119}) setpgid(r0, r0) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x40, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x9, 0xbd49, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, r0, 0x0, 0xffffffffffffffff, 0x0) syz_genetlink_get_family_id$ipvs(&(0x7f0000000180)='IPVS\x00') setxattr$trusted_overlay_upper(&(0x7f0000000400)='./file0\x00', &(0x7f0000000480)='trusted.overlay.upper\x00', &(0x7f0000000500)={0x0, 0xfb, 0x4f, 0x6, 0x5, "fae6bc8cf1a5ca4bd5bbd3cdfa564485", "b5484f407fbc4e33194c715a92a38be87b7ef8659097a96061a752d6f651980e043b0c925bd4beb6ad57328dd4eec9ee787631db6244c9b70270"}, 0x4f, 0x0) listen(r2, 0xd4) mkdir(&(0x7f0000000040)='./file0\x00', 0x40) dup2(0xffffffffffffffff, 0xffffffffffffffff) 00:58:59 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, 0x0, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x0, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:58:59 executing program 2: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x5, 0xa, 0x800, 0x3}, 0x2c) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000140)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20) [ 389.862976] net_ratelimit: 2 callbacks suppressed [ 389.862994] protocol 88fb is buggy, dev hsr_slave_0 [ 389.873517] protocol 88fb is buggy, dev hsr_slave_1 00:59:00 executing program 4: perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0xffffffffffffff26, &(0x7f0000000140)) socket$inet6(0xa, 0x0, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, 0x0, 0x400, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, 0x0) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT(r1, 0x404c534a, &(0x7f0000000000)={0x2, 0x10001}) ioctl$DRM_IOCTL_AGP_INFO(0xffffffffffffffff, 0x80386433, 0x0) r3 = openat(0xffffffffffffff9c, 0x0, 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) sendmsg(r3, 0x0, 0x4000) sendmsg(0xffffffffffffffff, 0x0, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000100)="460f300f07c483614804ee08440f20c03506000000440f22c0c402f93473230f09f20f013cb9b805000000b9c00000000f01d90fc728c4c1f9e79f2e000000", 0x3f}], 0x1, 0x0, 0x0, 0x0) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x4) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$ASHMEM_SET_SIZE(0xffffffffffffffff, 0x40087703, 0x0) 00:59:00 executing program 1: socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r1, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r0, 0x0, r2, 0x0, 0x10003, 0x0) 00:59:00 executing program 2: syz_emit_ethernet(0x66, &(0x7f0000000240)={@local, @dev, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x58, 0x0, 0x0, 0x0, 0x0, 0x0, @multicast1, @remote}, @gre}}}}, 0x0) 00:59:00 executing program 5: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x10000000013, &(0x7f0000000280)=0x1, 0x4) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000080)='veth1\x00', 0xb) connect$inet(r0, &(0x7f00000000c0)={0x2, 0x0, @loopback}, 0x10) setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f0000000040)={0x0, 0x6, 0x7f}, 0x14) setsockopt$inet_tcp_int(r0, 0x6, 0x4000000000013, &(0x7f0000000140), 0x27b) sendto(r0, &(0x7f0000000300)="d0", 0x1, 0x0, 0x0, 0x0) sendto(r0, &(0x7f0000000100)="06", 0x1, 0x0, 0x0, 0x0) write$binfmt_aout(r0, &(0x7f00000015c0)=ANY=[@ANYBLOB='\b'], 0x1) 00:59:00 executing program 2: bpf$MAP_CREATE(0x0, &(0x7f0000000080)={0x9, 0xd, 0x209e1e, 0x9, 0x2}, 0x2c) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070") bpf$MAP_CREATE(0x2, &(0x7f0000003000)={0x3, 0x0, 0x77fffb, 0x0, 0x820000, 0x0}, 0x13) bpf$MAP_CREATE(0x2, &(0x7f0000003000)={0x3, 0x0, 0x77fffb, 0x0, 0x820000, 0x0}, 0x2c) [ 390.823235] protocol 88fb is buggy, dev hsr_slave_0 [ 390.823831] protocol 88fb is buggy, dev hsr_slave_0 [ 390.828778] protocol 88fb is buggy, dev hsr_slave_1 [ 390.833754] protocol 88fb is buggy, dev hsr_slave_1 [ 390.839194] protocol 88fb is buggy, dev hsr_slave_0 [ 390.844072] protocol 88fb is buggy, dev hsr_slave_0 [ 390.849010] protocol 88fb is buggy, dev hsr_slave_1 [ 390.853969] protocol 88fb is buggy, dev hsr_slave_1 00:59:01 executing program 0: clone(0x13102001fef, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x1b) ptrace$cont(0x18, r0, 0x0, 0x0) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f00000000c0)={[], 0x0, 0x0, 0x3, 0x1, 0x13d}) ptrace$setregs(0xd, r0, 0x0, &(0x7f0000000080)) ptrace$cont(0x18, r0, 0x0, 0x0) 00:59:01 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") r1 = socket$kcm(0x10, 0x2, 0x10) sendmsg$kcm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000180)="2e0000001d008107e00f80ecdb4cb9d9056319041a000f00000000fb120001000e00da1b40d819a9060015000000", 0x2e}], 0x1}, 0x0) 00:59:01 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, 0x0, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x0, &(0x7f0000000100)="0adc1f123c123f3188b070") write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) 00:59:01 executing program 2: r0 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x1, 0x0) readv(r0, &(0x7f0000000480)=[{&(0x7f0000000000)=""/43, 0x2b}], 0x1) ioctl$int_in(r0, 0x80000040045010, &(0x7f00000001c0)=0x3) read$eventfd(r0, &(0x7f0000000180), 0x8) 00:59:01 executing program 4: bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x3, 0x4, &(0x7f0000346fc8)=@framed={{}, [@alu={0x8000000201a7f19, 0x0, 0x201a7fa6, 0x0, 0x1, 0x24}]}, &(0x7f0000000100)='GPL\x00'}, 0x48) 00:59:01 executing program 5: r0 = socket$inet_icmp_raw(0x2, 0x3, 0x1) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) connect$inet(r0, 0x0, 0x0) r1 = socket$inet(0x2, 0x3, 0x7) setsockopt$inet_group_source_req(r1, 0x0, 0x2e, &(0x7f0000000300)={0x1, {{0x2, 0x0, @multicast1}}, {{0x2, 0x0, @broadcast}}}, 0x108) setsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000000080)={0x0, @rand_addr=0x8000, @remote}, 0xc) 00:59:01 executing program 1: socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r3, &(0x7f0000000040)={0x11, 0x0, r4, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r1, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r0, 0x0, r2, 0x0, 0x10003, 0x0) 00:59:01 executing program 4: r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc0\x00', 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000003c0)={0xffffffffffffffff}) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2000000000000002, 0x0, &(0x7f0000000000)) ioctl$ASHMEM_GET_PIN_STATUS(0xffffffffffffffff, 0x7709, 0x0) timerfd_create(0x0, 0x807ff) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000001080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setaffinity(0x0, 0x7, &(0x7f00000000c0)=0x9) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x2, 0x0) mmap(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x2000000, 0x110, r1, 0x0) bind$inet6(r2, &(0x7f00000000c0)={0xa, 0x4e20}, 0x1c) sendto$inet6(r2, 0x0, 0x0, 0x8000, &(0x7f0000000240)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) write$binfmt_elf64(r2, &(0x7f0000000280)=ANY=[@ANYBLOB="7f454c46000061779ba13d083152002f13cd01000000000000000000020000000d000000000000000000007312c7005e19b3901d547ac20000380000000000ff03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], 0x71) recvmmsg(r2, &(0x7f0000008880), 0x45b, 0x44000102, 0x0) r3 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_KVMCLOCK_CTRL(r0, 0xaead) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) semctl$GETNCNT(0x0, 0x0, 0xe, 0x0) fcntl$setpipe(0xffffffffffffffff, 0x407, 0x0) accept4(r3, &(0x7f0000000100)=@pptp, &(0x7f0000000180)=0x80, 0x80000) 00:59:01 executing program 0: socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) ioctl$sock_ifreq(r0, 0x200008924, &(0x7f0000000000)={'bridge0\x00', @ifru_settings={0x1, 0xff, @fr_pvc=0x0}}) 00:59:01 executing program 5: clone(0x200, 0x0, 0x0, 0x0, 0x0) mknod(&(0x7f0000f80000)='./file0\x00', 0x1040, 0x0) execve(&(0x7f0000000340)='./file0\x00', 0x0, 0x0) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180)='/dev/ptmx\x00', 0x0, 0x0) read(r0, &(0x7f0000000540)=""/11, 0x485) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000200)) clone(0x3102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) creat(&(0x7f0000000280)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x10a) syz_execute_func(&(0x7f00000002c0)="3666440f50f564ff0941c3c4e2c9975842c4c27d794e0066420fe2e33e0f1110c442019dccd3196f") r1 = dup2(r0, r0) execve(&(0x7f00000000c0)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) ioctl$EVIOCGREP(r1, 0x80084503, 0x0) open$dir(&(0x7f0000000240)='./file0\x00', 0x841, 0x0) [ 391.589184] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. 00:59:01 executing program 0: syz_execute_func(&(0x7f0000000000)="3666440f50f564ff0941c3c4e2c9975842c4c27d794e0066420fe2e33e0f1110c442019dccd3196f") clone(0x100000203, 0x0, 0x0, 0x0, 0x0) mknod(&(0x7f0000f80000)='./file0\x00', 0x1040, 0x0) execve(&(0x7f0000000400)='./file0\x00', 0x0, 0x0) r0 = creat(&(0x7f0000000080)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x10a) close(r0) execve(&(0x7f0000000100)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r1, 0x6, 0x200800000000013, &(0x7f0000000280)=0x400100000001, 0x4) connect$inet6(r1, &(0x7f0000000080), 0x1c) r2 = dup2(r1, r1) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r2, 0x6, 0x16, &(0x7f0000000440), 0x131f64) open$dir(&(0x7f0000000240)='./file0\x00', 0x841, 0x0) clone(0x3102001ff6, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) execve(&(0x7f0000000180)='./file0\x00', 0x0, 0x0) setsockopt$IP_VS_SO_SET_EDIT(r2, 0x0, 0x483, 0x0, 0x0) 00:59:01 executing program 4: openat$urandom(0xffffffffffffff9c, 0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000100)={0xa, 0x0, 0x0, @dev, 0x6}, 0x1c) setsockopt$inet6_mtu(r0, 0x29, 0x17, &(0x7f0000000140)=0x3, 0x4) sendmmsg(r0, &(0x7f00000092c0), 0x4ff, 0x0) prctl$PR_SET_SPECULATION_CTRL(0x35, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) [ 391.855592] ================================================================== [ 391.863056] BUG: KMSAN: uninit-value in linear_transfer+0xa1b/0xc50 [ 391.869483] CPU: 1 PID: 14990 Comm: syz-executor.2 Not tainted 5.0.0-rc1+ #9 [ 391.876692] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 391.886047] Call Trace: [ 391.888689] dump_stack+0x173/0x1d0 [ 391.892403] kmsan_report+0x12e/0x2a0 [ 391.896233] __msan_warning+0x82/0xf0 [ 391.900069] linear_transfer+0xa1b/0xc50 00:59:01 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f3188b070") r1 = socket$packet(0x11, 0x3, 0x300) setsockopt$SO_ATTACH_FILTER(r1, 0x1, 0x1a, &(0x7f0000fbe000)={0x2, &(0x7f0000000080)=[{0x28, 0x0, 0x0, 0x100}, {0x80000006}]}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r4 = socket$inet_udp(0x2, 0x2, 0x0) close(r4) r5 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f00000000c0)={'lo\x00', 0x0}) bind$packet(r5, &(0x7f0000000040)={0x11, 0x0, r6, 0x1, 0x0, 0x6, @local}, 0x14) write$binfmt_misc(r3, &(0x7f0000000080)=ANY=[], 0x4240a3c3) splice(r2, 0x0, r4, 0x0, 0x10003, 0x0) [ 391.904189] ? snd_pcm_plugin_build_linear+0xc00/0xc00 [ 391.909502] snd_pcm_plug_read_transfer+0x3bf/0x590 [ 391.914587] snd_pcm_oss_read+0xa4a/0x1960 [ 391.918874] do_iter_read+0x8e0/0xe10 [ 391.922722] ? snd_pcm_oss_unregister_minor+0x4b0/0x4b0 [ 391.928103] do_readv+0x2a7/0x620 [ 391.931590] ? __msan_metadata_ptr_for_store_4+0x13/0x20 [ 391.937069] ? prepare_exit_to_usermode+0x114/0x420 [ 391.942120] ? kmsan_get_shadow_origin_ptr+0x60/0x440 [ 391.947347] __se_sys_readv+0x9b/0xb0 [ 391.951178] __x64_sys_readv+0x4a/0x70 [ 391.955068] do_syscall_64+0xbc/0xf0 [ 391.958807] entry_SYSCALL_64_after_hwframe+0x63/0xe7 [ 391.964018] RIP: 0033:0x457e29 [ 391.967209] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 391.986140] RSP: 002b:00007f210d91cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 [ 391.993956] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29 [ 392.001238] RDX: 0000000000000001 RSI: 0000000020000480 RDI: 0000000000000003 [ 392.008513] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 392.015797] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f210d91d6d4 [ 392.023105] R13: 00000000004c494f R14: 00000000004d8510 R15: 00000000ffffffff [ 392.030415] [ 392.032049] Uninit was created at: [ 392.035639] No stack [ 392.037965] ================================================================== [ 392.045349] Disabling lock debugging due to kernel taint [ 392.050800] Kernel panic - not syncing: panic_on_warn set ... [ 392.056710] CPU: 1 PID: 14990 Comm: syz-executor.2 Tainted: G B 5.0.0-rc1+ #9 [ 392.065286] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 392.074641] Call Trace: [ 392.077267] dump_stack+0x173/0x1d0 [ 392.080929] panic+0x3d1/0xb01 [ 392.084198] kmsan_report+0x293/0x2a0 [ 392.088062] __msan_warning+0x82/0xf0 [ 392.091956] linear_transfer+0xa1b/0xc50 [ 392.096073] ? snd_pcm_plugin_build_linear+0xc00/0xc00 [ 392.101366] snd_pcm_plug_read_transfer+0x3bf/0x590 [ 392.106461] snd_pcm_oss_read+0xa4a/0x1960 [ 392.110762] do_iter_read+0x8e0/0xe10 [ 392.114616] ? snd_pcm_oss_unregister_minor+0x4b0/0x4b0 [ 392.120007] do_readv+0x2a7/0x620 [ 392.123519] ? __msan_metadata_ptr_for_store_4+0x13/0x20 [ 392.129007] ? prepare_exit_to_usermode+0x114/0x420 [ 392.134067] ? kmsan_get_shadow_origin_ptr+0x60/0x440 [ 392.139325] __se_sys_readv+0x9b/0xb0 [ 392.143178] __x64_sys_readv+0x4a/0x70 [ 392.147086] do_syscall_64+0xbc/0xf0 [ 392.150827] entry_SYSCALL_64_after_hwframe+0x63/0xe7 00:59:02 executing program 3: socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$NBD_CMD_DISCONNECT(r0, 0x0, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, 0x0) write(r0, 0x0, 0x0) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000200), 0x4) writev(r0, &(0x7f000063e000)=[{&(0x7f0000a66000)="da", 0x1}], 0x1) close(r0) sendmmsg$alg(r1, &(0x7f0000236fc8)=[{0x0, 0xffffff7f, &(0x7f00000fff80), 0x0, &(0x7f00001e1e78), 0xc00}], 0x4924924924926c8, 0x0) read(r1, &(0x7f0000000fc0)=""/253, 0x24) [ 392.156036] RIP: 0033:0x457e29 [ 392.159267] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 392.178170] RSP: 002b:00007f210d91cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 [ 392.185880] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29 [ 392.193150] RDX: 0000000000000001 RSI: 0000000020000480 RDI: 0000000000000003 [ 392.200428] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 392.207702] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f210d91d6d4 [ 392.214986] R13: 00000000004c494f R14: 00000000004d8510 R15: 00000000ffffffff [ 392.223383] Kernel Offset: disabled [ 392.227022] Rebooting in 86400 seconds..