0001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630740"], 0x0, 0x0, 0x0}) [ 2296.220510][ T9537] binder: BINDER_SET_CONTEXT_MGR already set [ 2296.243798][ T9537] binder: 9535:9537 ioctl 40046207 0 returned -16 [ 2296.267472][ T9538] binder_alloc: 9486: binder_alloc_buf, no vma [ 2296.288395][ T9538] binder: 9535:9538 transaction failed 29189/-3, size 24-8 line 3147 [ 2296.305015][ T9537] binder: 9535:9537 unknown command 1074225926 [ 2296.313764][ T9537] binder: 9535:9537 ioctl c0306201 20000380 returned -22 [ 2296.327481][ T9538] binder_alloc: binder_alloc_mmap_handler: 9535 20001000-20004000 already mapped failed -16 [ 2296.345140][ T9537] binder: BINDER_SET_CONTEXT_MGR already set [ 2296.353057][ T9537] binder: 9535:9537 ioctl 40046207 0 returned -16 [ 2296.359743][ T9538] binder_alloc: 9486: binder_alloc_buf, no vma [ 2296.373296][ T9538] binder: 9535:9538 transaction failed 29189/-3, size 24-8 line 3147 [ 2297.535195][T23288] binder_release_work: 5 callbacks suppressed [ 2297.535204][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2297.549999][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2297.556265][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2297.562656][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2297.568925][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2297.575224][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2297.581645][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2297.587865][T23288] binder: send failed reply for transaction 819 to 9486:9487 [ 2297.595418][T23288] binder_release_work: 1 callbacks suppressed [ 2297.595423][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2297.607457][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2297.613778][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:06 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x30710000000000) 17:25:06 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x1000000000000) 17:25:06 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06631240"], 0x0, 0x0, 0x0}) 17:25:06 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x300000000000000, 0x0, 0xa0008000) 17:25:06 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x0, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2297.726246][ T9542] binder: 9541:9542 unknown command 1074946822 [ 2297.763628][ T9542] binder: 9541:9542 ioctl c0306201 20000380 returned -22 17:25:06 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2297.826395][ T9548] binder_alloc: binder_alloc_mmap_handler: 9541 20001000-20004000 already mapped failed -16 [ 2297.882571][ T9552] device sit0 left promiscuous mode [ 2297.910103][ T9542] binder: BINDER_SET_CONTEXT_MGR already set [ 2297.940289][ T9542] binder: 9541:9542 ioctl 40046207 0 returned -16 [ 2297.985103][ T9558] binder_alloc: 9541: binder_alloc_buf, no vma [ 2298.020445][ T9558] binder: 9541:9558 transaction failed 29189/-3, size 24-8 line 3147 [ 2298.038772][ T9542] binder: 9541:9542 unknown command 1074946822 [ 2298.072896][T23288] binder: release 9541:9542 transaction 830 out, still active [ 2298.083127][ T9542] binder: 9541:9542 ioctl c0306201 20000380 returned -22 [ 2298.087992][ T9556] device sit0 entered promiscuous mode [ 2298.103249][T23288] binder: unexpected work type, 4, not freed [ 2298.122903][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2298.128796][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06635c40"], 0x0, 0x0, 0x0}) [ 2298.208544][T23288] binder: send failed reply for transaction 830, target dead 17:25:07 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x0, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:07 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x50e07c157f0000) [ 2298.338078][ T9562] binder: 9561:9562 unknown command 1079796486 17:25:07 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x0, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2298.397643][ T9562] binder: 9561:9562 ioctl c0306201 20000380 returned -22 [ 2298.514403][ T9568] binder_alloc: binder_alloc_mmap_handler: 9561 20001000-20004000 already mapped failed -16 17:25:07 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2298.643990][ T9562] binder: BINDER_SET_CONTEXT_MGR already set [ 2298.741911][ T9562] binder: 9561:9562 ioctl 40046207 0 returned -16 [ 2298.742060][T23288] binder: send failed reply for transaction 835 to 9561:9562 [ 2298.805201][ T9575] device sit0 left promiscuous mode [ 2298.808876][T23288] binder: undelivered TRANSACTION_COMPLETE 17:25:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="0663045c"], 0x0, 0x0, 0x0}) 17:25:07 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2298.933167][ T9578] device sit0 entered promiscuous mode 17:25:07 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x200000000000000, 0x0, 0xa0008000) [ 2299.044012][ T9582] binder: 9579:9582 unknown command 1543791366 17:25:07 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x900000000000000, 0x0, 0xa0008000) 17:25:07 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x60c47d157f0000) [ 2299.093415][ T9582] binder: 9579:9582 ioctl c0306201 20000380 returned -22 17:25:07 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2299.160267][ T9587] binder_alloc: binder_alloc_mmap_handler: 9579 20001000-20004000 already mapped failed -16 [ 2299.175885][ T9582] binder: BINDER_SET_CONTEXT_MGR already set [ 2299.240606][ T9582] binder: 9579:9582 ioctl 40046207 0 returned -16 17:25:08 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2299.325970][ T9593] device sit0 left promiscuous mode [ 2299.396785][ T9597] binder_alloc: 9579: binder_alloc_buf, no vma [ 2299.440563][ T9595] device sit0 entered promiscuous mode [ 2299.447547][T23288] binder: send failed reply for transaction 839 to 9579:9582 [ 2299.462550][ T9597] binder: 9579:9597 transaction failed 29189/-3, size 24-8 line 3147 [ 2299.474539][T23288] binder: undelivered TRANSACTION_COMPLETE 17:25:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x2, 0x0, 0x0}) 17:25:08 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x200000000000000, 0x0, 0xa0008000) [ 2299.717284][ T9603] binder: 9602:9603 Release 1 refcount change on invalid ref 0 ret -22 17:25:08 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x60e47d157f0000) [ 2299.781539][ T9603] binder: 9602:9603 ioctl c0306201 20000380 returned -14 [ 2299.817937][ T9606] binder_alloc: binder_alloc_mmap_handler: 9602 20001000-20004000 already mapped failed -16 17:25:08 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x2000000000000000, 0x0, 0xa0008000) 17:25:08 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2299.891294][ T9603] binder: BINDER_SET_CONTEXT_MGR already set [ 2299.900409][ T9603] binder: 9602:9603 ioctl 40046207 0 returned -16 [ 2299.956591][ T9610] binder_alloc: 9602: binder_alloc_buf, no vma [ 2300.002600][T12655] binder: send failed reply for transaction 844 to 9602:9603 [ 2300.024234][ T9610] binder: 9602:9610 transaction failed 29189/-3, size 24-8 line 3147 [ 2300.027281][T12655] binder: undelivered TRANSACTION_COMPLETE 17:25:08 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:09 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x3, 0x0, 0x0}) [ 2300.261361][ T9620] device sit0 left promiscuous mode 17:25:09 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x200000000000000, 0x0, 0xa0008000) [ 2300.336381][ T9622] binder: 9621:9622 Release 1 refcount change on invalid ref 0 ret -22 [ 2300.405030][ T9622] binder: 9621:9622 ioctl c0306201 20000380 returned -14 [ 2300.413773][ T9623] device sit0 entered promiscuous mode 17:25:09 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2300.458218][ T9625] binder_alloc: binder_alloc_mmap_handler: 9621 20001000-20004000 already mapped failed -16 17:25:09 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x8000a0ffffffff) [ 2300.516732][ T9622] binder: BINDER_SET_CONTEXT_MGR already set [ 2300.580813][ T9622] binder: 9621:9622 ioctl 40046207 0 returned -16 [ 2300.581258][ T9628] binder_alloc: 9621: binder_alloc_buf, no vma 17:25:09 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x3f00000000000000, 0x0, 0xa0008000) [ 2300.628081][ T9625] binder: 9621:9625 Release 1 refcount change on invalid ref 0 ret -22 [ 2300.687856][ T9628] binder: 9621:9628 transaction failed 29189/-3, size 24-8 line 3147 [ 2300.770623][T12655] binder: release 9621:9622 transaction 849 out, still active [ 2300.784312][ T9625] binder: 9621:9625 ioctl c0306201 20000380 returned -14 [ 2300.797254][T12655] binder: unexpected work type, 4, not freed [ 2300.839253][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2300.890090][T12655] binder: send failed reply for transaction 849, target dead 17:25:09 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x4, 0x0, 0x0}) 17:25:09 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:09 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x4000000000000000, 0x0, 0xa0008000) 17:25:09 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2301.070960][ T9641] binder: 9639:9641 Release 1 refcount change on invalid ref 0 ret -22 [ 2301.099625][ T9641] binder: 9639:9641 ioctl c0306201 20000380 returned -14 [ 2301.169597][ T9641] binder: BINDER_SET_CONTEXT_MGR already set [ 2301.180361][ T9642] binder_alloc: binder_alloc_mmap_handler: 9639 20001000-20004000 already mapped failed -16 [ 2301.199004][ T9645] device sit0 left promiscuous mode [ 2301.202734][ T9643] binder_alloc: 9639: binder_alloc_buf, no vma 17:25:10 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:10 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x8001a0ffffffff) [ 2301.280736][ T9642] binder: 9639:9642 Release 1 refcount change on invalid ref 0 ret -22 [ 2301.289058][ T9642] binder: 9639:9642 ioctl c0306201 20000380 returned -14 [ 2301.320610][ T9649] device sit0 entered promiscuous mode [ 2301.407393][T23288] binder: release 9639:9641 transaction 854 out, still active [ 2301.415972][ T9641] binder: 9639:9641 ioctl 40046207 0 returned -16 [ 2301.440756][T23288] binder: unexpected work type, 4, not freed [ 2301.456734][ T9657] misc userio: Invalid payload size [ 2301.476551][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2301.483858][ T9643] binder: 9639:9643 transaction failed 29189/-3, size 24-8 line 3147 [ 2301.526104][T23288] binder: send failed reply for transaction 854, target dead 17:25:10 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x5, 0x0, 0x0}) 17:25:10 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:10 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x4b16000000000000, 0x0, 0xa0008000) [ 2301.705510][ T9662] binder: 9661:9662 Release 1 refcount change on invalid ref 0 ret -22 [ 2301.767908][ T9662] binder: 9661:9662 ioctl c0306201 20000380 returned -14 [ 2301.828168][ T9665] binder_alloc: binder_alloc_mmap_handler: 9661 20001000-20004000 already mapped failed -16 [ 2301.900116][ T9662] binder: BINDER_SET_CONTEXT_MGR already set [ 2301.938002][ T9662] binder: 9661:9662 ioctl 40046207 0 returned -16 [ 2301.959657][ T9670] binder_alloc: 9661: binder_alloc_buf, no vma [ 2301.969833][ T9654] device sit0 left promiscuous mode [ 2301.997297][ T9670] binder: 9661:9670 transaction failed 29189/-3, size 24-8 line 3147 [ 2302.005869][T12655] binder: send failed reply for transaction 859 to 9661:9662 [ 2302.020987][T12655] binder: undelivered TRANSACTION_COMPLETE 17:25:10 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:10 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xa0700000000000) 17:25:10 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6, 0x0, 0x0}) [ 2302.266416][ T9678] binder: 9677:9678 Release 1 refcount change on invalid ref 0 ret -22 17:25:11 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x8000000000000000, 0x0, 0xa0008000) [ 2302.315090][ T9678] binder: 9677:9678 ioctl c0306201 20000380 returned -14 17:25:11 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2302.371825][ T9680] binder_alloc: binder_alloc_mmap_handler: 9677 20001000-20004000 already mapped failed -16 [ 2302.444795][ T9678] binder: BINDER_SET_CONTEXT_MGR already set [ 2302.522231][ T9686] binder: 9677:9686 Release 1 refcount change on invalid ref 0 ret -22 [ 2302.522771][ T9678] binder: 9677:9678 ioctl 40046207 0 returned -16 [ 2302.580022][T23288] binder: release 9677:9678 transaction 864 out, still active [ 2302.587689][ T9657] device sit0 entered promiscuous mode [ 2302.591364][ T9686] binder: 9677:9686 ioctl c0306201 20000380 returned -14 [ 2302.596057][ T9680] binder_alloc: 9677: binder_alloc_buf, no vma [ 2302.606553][T23288] binder: unexpected work type, 4, not freed [ 2302.640207][ T9680] binder: 9677:9680 transaction failed 29189/-3, size 24-8 line 3147 [ 2302.650726][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2302.674003][T23288] binder: send failed reply for transaction 864, target dead 17:25:11 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x7, 0x0, 0x0}) [ 2302.711042][T23288] binder_release_work: 9 callbacks suppressed [ 2302.711050][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:11 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2302.783980][ T9674] device sit0 left promiscuous mode 17:25:11 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2302.859559][ T9676] device sit0 entered promiscuous mode [ 2302.911199][ T9693] binder: 9690:9693 Release 1 refcount change on invalid ref 0 ret -22 [ 2302.991963][ T9693] binder: 9690:9693 ioctl c0306201 20000380 returned -14 17:25:11 executing program 2: openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r1 = dup(r0) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r1, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2303.047329][ T9696] binder_alloc: binder_alloc_mmap_handler: 9690 20001000-20004000 already mapped failed -16 17:25:11 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2303.090893][ T9693] binder: BINDER_SET_CONTEXT_MGR already set [ 2303.121826][ T9693] binder: 9690:9693 ioctl 40046207 0 returned -16 [ 2303.121883][ T9699] binder_alloc: 9690: binder_alloc_buf, no vma 17:25:11 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:12 executing program 2: openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r1 = dup(r0) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r1, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2303.219852][ T9699] binder: 9690:9699 transaction failed 29189/-3, size 24-8 line 3147 [ 2303.275289][ T9704] device sit0 left promiscuous mode 17:25:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0xa, 0x0, 0x0}) [ 2303.381652][ T9707] misc userio: Invalid payload size [ 2303.413990][ T9710] binder: BINDER_SET_CONTEXT_MGR already set [ 2303.444863][ T9710] binder: 9709:9710 ioctl 40046207 0 returned -16 [ 2303.479329][ T9712] binder_alloc: 9690: binder_alloc_buf, no vma [ 2303.515469][ T9712] binder: 9709:9712 transaction failed 29189/-3, size 24-8 line 3147 [ 2303.524532][ T9710] binder: 9709:9710 Release 1 refcount change on invalid ref 0 ret -22 [ 2303.555193][ T9710] binder: 9709:9710 ioctl c0306201 20000380 returned -14 [ 2303.587549][ T9712] binder_alloc: binder_alloc_mmap_handler: 9709 20001000-20004000 already mapped failed -16 [ 2303.664237][ T9707] device sit0 entered promiscuous mode [ 2303.674975][ T9712] binder_alloc: 9690: binder_alloc_buf, no vma [ 2303.675235][ T9713] binder: BINDER_SET_CONTEXT_MGR already set [ 2303.689226][ T9712] binder: 9709:9712 transaction failed 29189/-3, size 24-8 line 3147 [ 2303.726915][ T9713] binder: 9709:9713 ioctl 40046207 0 returned -16 [ 2305.172556][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2305.178932][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2305.185330][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2305.191751][T12655] binder: send failed reply for transaction 869 to 9690:9693 [ 2305.199262][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2305.205238][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:25:14 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:14 executing program 2: openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r1 = dup(r0) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r1, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:14 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xf0ffffff00000000, 0x0, 0xa0008000) 17:25:14 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x48, 0x0, 0x0}) 17:25:14 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xb0500000000000) 17:25:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x8001a0ffffffff) [ 2305.347965][ T9719] binder: 9718:9719 Release 1 refcount change on invalid ref 0 ret -22 17:25:14 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, 0x0, 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2305.430019][ T9719] binder: 9718:9719 ioctl c0306201 20000380 returned -14 [ 2305.537913][ T9733] binder_alloc: binder_alloc_mmap_handler: 9718 20001000-20004000 already mapped failed -16 17:25:14 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2305.599794][ T9719] binder: BINDER_SET_CONTEXT_MGR already set [ 2305.656034][ T9719] binder: 9718:9719 ioctl 40046207 0 returned -16 [ 2305.656175][ T9735] binder_alloc: 9718: binder_alloc_buf, no vma 17:25:14 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, 0x0, 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x8000000000000000, 0x0, 0xa0008000) [ 2305.730855][ T9733] binder: 9718:9733 Release 1 refcount change on invalid ref 0 ret -22 [ 2305.786009][T23288] binder: release 9718:9719 transaction 876 out, still active [ 2305.801485][ T9735] binder: 9718:9735 transaction failed 29189/-3, size 24-8 line 3147 [ 2305.813843][T23288] binder: unexpected work type, 4, not freed [ 2305.847892][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2305.856800][ T9733] binder: 9718:9733 ioctl c0306201 20000380 returned -14 [ 2305.864874][T23288] binder: send failed reply for transaction 876, target dead [ 2305.887143][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:14 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x4c, 0x0, 0x0}) [ 2305.947929][ T9739] device sit0 left promiscuous mode 17:25:14 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x100000000000000) [ 2306.053841][ T9745] device sit0 entered promiscuous mode [ 2306.061754][ T9748] binder: 9747:9748 Release 1 refcount change on invalid ref 0 ret -22 17:25:14 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xfeffffffffffffff, 0x0, 0xa0008000) 17:25:14 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2306.159606][ T9748] binder: 9747:9748 ioctl c0306201 20000380 returned -14 [ 2306.218505][ T9752] binder_alloc: binder_alloc_mmap_handler: 9747 20001000-20004000 already mapped failed -16 [ 2306.263866][ T9748] binder: BINDER_SET_CONTEXT_MGR already set [ 2306.350839][ T9748] binder: 9747:9748 ioctl 40046207 0 returned -16 [ 2306.403813][ T9759] binder_alloc: 9747: binder_alloc_buf, no vma [ 2306.440049][ T9759] binder: 9747:9759 transaction failed 29189/-3, size 24-8 line 3147 [ 2306.450394][T12655] binder: send failed reply for transaction 881 to 9747:9748 [ 2306.457848][T12655] binder: undelivered TRANSACTION_COMPLETE 17:25:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x60, 0x0, 0x0}) 17:25:15 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x8000000000000000, 0x0, 0xa0008000) [ 2306.554168][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2306.598746][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2306.625579][ T9765] binder: 9762:9765 Release 1 refcount change on invalid ref 0 ret -22 17:25:15 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, 0x0, 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2306.658704][ T9765] binder: 9762:9765 ioctl c0306201 20000380 returned -14 [ 2306.697171][ T9768] binder_alloc: binder_alloc_mmap_handler: 9762 20001000-20004000 already mapped failed -16 17:25:15 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x200000000000000) [ 2306.725399][ T9769] device sit0 left promiscuous mode [ 2306.729350][ T9765] binder: BINDER_SET_CONTEXT_MGR already set [ 2306.739267][ T9765] binder: 9762:9765 ioctl 40046207 0 returned -16 17:25:15 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2306.767391][ T9768] binder_alloc: 9762: binder_alloc_buf, no vma [ 2306.812903][T23288] binder: release 9762:9765 transaction 886 out, still active [ 2306.821902][ T9768] binder: 9762:9768 transaction failed 29189/-3, size 24-8 line 3147 [ 2306.831650][T23288] binder: unexpected work type, 4, not freed [ 2306.853279][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2306.880041][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x68, 0x0, 0x0}) 17:25:15 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xffefffffff7f0000, 0x0, 0xa0008000) [ 2306.928832][T23288] binder: send failed reply for transaction 886, target dead [ 2306.951510][ T9777] device sit0 entered promiscuous mode [ 2307.071132][ T9784] binder: 9780:9784 Release 1 refcount change on invalid ref 0 ret -22 [ 2307.131139][ T9784] binder: 9780:9784 ioctl c0306201 20000380 returned -14 17:25:15 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2307.187304][ T9785] binder_alloc: binder_alloc_mmap_handler: 9780 20001000-20004000 already mapped failed -16 17:25:16 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2307.291525][ T9785] binder_alloc: 9780: binder_alloc_buf, no vma [ 2307.306764][ T9788] binder: BINDER_SET_CONTEXT_MGR already set [ 2307.329663][ T9785] binder: 9780:9785 transaction failed 29189/-3, size 24-8 line 3147 17:25:16 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x8000000000000000, 0x0, 0xa0008000) 17:25:16 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2307.413714][ T9784] binder: 9780:9784 Release 1 refcount change on invalid ref 0 ret -22 [ 2307.461082][T23288] binder: release 9780:9784 transaction 891 out, still active [ 2307.480633][ T9788] binder: 9780:9788 ioctl 40046207 0 returned -16 [ 2307.491624][T23288] binder: unexpected work type, 4, not freed [ 2307.512048][ T9784] binder: 9780:9784 ioctl c0306201 20000380 returned -14 [ 2307.523154][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2307.553995][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:16 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6c, 0x0, 0x0}) [ 2307.594830][T23288] binder: send failed reply for transaction 891, target dead 17:25:16 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x300000000000000) 17:25:16 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2307.727399][ T9798] binder: 9797:9798 Release 1 refcount change on invalid ref 0 ret -22 [ 2307.790090][ T9798] binder: 9797:9798 ioctl c0306201 20000380 returned -14 [ 2307.846861][ T9804] binder_alloc: binder_alloc_mmap_handler: 9797 20001000-20004000 already mapped failed -16 [ 2307.890255][ T9798] binder: BINDER_SET_CONTEXT_MGR already set [ 2307.917036][ T9804] binder_alloc: 9797: binder_alloc_buf, no vma 17:25:16 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xffffff7f00000000, 0x0, 0xa0008000) [ 2307.985363][ T9807] binder: 9797:9807 Release 1 refcount change on invalid ref 0 ret -22 [ 2307.988012][T23288] binder: release 9797:9798 transaction 896 out, still active 17:25:16 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2308.076959][T23288] binder: unexpected work type, 4, not freed [ 2308.084342][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2308.090709][ T9807] binder: 9797:9807 ioctl c0306201 20000380 returned -14 [ 2308.108573][ T9798] binder: 9797:9798 ioctl 40046207 0 returned -16 [ 2308.110938][ T9804] binder: 9797:9804 transaction failed 29189/-3, size 24-8 line 3147 [ 2308.128063][T23288] binder: send failed reply for transaction 896, target dead 17:25:17 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:17 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:17 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2308.201940][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x74, 0x0, 0x0}) 17:25:17 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x900000000000000) [ 2308.412159][ T9821] binder: 9819:9821 Release 1 refcount change on invalid ref 0 ret -22 17:25:17 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2308.510315][ T9821] binder: 9819:9821 ioctl c0306201 20000380 returned -14 [ 2308.566141][ T9826] binder_alloc: binder_alloc_mmap_handler: 9819 20001000-20004000 already mapped failed -16 [ 2308.612616][ T9821] binder: BINDER_SET_CONTEXT_MGR already set [ 2308.662368][ T9821] binder: 9819:9821 ioctl 40046207 0 returned -16 17:25:17 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xffffffff00000000, 0x0, 0xa0008000) 17:25:17 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2308.731935][ T9831] binder_alloc: 9819: binder_alloc_buf, no vma 17:25:17 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2308.778612][T23288] binder: send failed reply for transaction 901 to 9819:9821 [ 2308.806393][ T9831] binder: 9819:9831 transaction failed 29189/-3, size 24-8 line 3147 [ 2308.813446][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2308.871075][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2308.907430][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2308.914024][ T9836] device sit0 left promiscuous mode 17:25:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x7a, 0x0, 0x0}) 17:25:17 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x2000000000000000) 17:25:17 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6c, 0x0, 0x0}) [ 2309.061863][ T9842] binder: 9841:9842 Release 1 refcount change on invalid ref 0 ret -22 [ 2309.065002][ T9839] device sit0 entered promiscuous mode [ 2309.103708][ T9842] binder: 9841:9842 ioctl c0306201 20000380 returned -14 [ 2309.117765][ T9844] binder: BINDER_SET_CONTEXT_MGR already set [ 2309.146947][ T9848] binder_alloc: binder_alloc_mmap_handler: 9841 20001000-20004000 already mapped failed -16 [ 2309.149195][ T9844] binder: 9843:9844 ioctl 40046207 0 returned -16 [ 2309.196946][ T9842] binder: BINDER_SET_CONTEXT_MGR already set [ 2309.217329][ T9842] binder: 9841:9842 ioctl 40046207 0 returned -16 [ 2309.233833][ T9849] binder_alloc: 9841: binder_alloc_buf, no vma 17:25:18 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2309.302559][ T9844] binder: 9843:9844 ioctl c0306201 20000380 returned -14 [ 2309.335582][T23288] binder: send failed reply for transaction 906 to 9841:9842 [ 2309.345275][ T9851] binder_alloc: 9841: binder_alloc_buf, no vma [ 2309.354082][ T9849] binder: 9843:9849 transaction failed 29189/-3, size 24-8 line 3147 [ 2309.365969][ T9851] binder: 9841:9851 transaction failed 29189/-3, size 24-8 line 3147 [ 2309.379960][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2309.385797][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:18 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:18 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xffffffffa0008000, 0x0, 0xa0008000) [ 2309.403120][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2309.421454][ T9853] device sit0 left promiscuous mode [ 2309.430389][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:18 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x300, 0x0, 0x0}) 17:25:18 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2309.522598][ T9854] device sit0 entered promiscuous mode [ 2309.590251][ T9862] binder: 9857:9862 ioctl c0306201 20000380 returned -14 17:25:18 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x4000000000000000) [ 2309.670202][ T9863] binder_alloc: binder_alloc_mmap_handler: 9857 20001000-20004000 already mapped failed -16 [ 2309.713825][ T9862] binder: BINDER_SET_CONTEXT_MGR already set 17:25:18 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2309.778570][ T9862] binder: 9857:9862 ioctl 40046207 0 returned -16 [ 2309.810940][ T9869] binder_alloc: 9857: binder_alloc_buf, no vma [ 2309.817188][ T9869] binder: 9857:9869 transaction failed 29189/-3, size 24-8 line 3147 [ 2309.935738][ T9871] device sit0 left promiscuous mode [ 2309.962079][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2309.980133][T23288] binder: send failed reply for transaction 912 to 9857:9862 [ 2309.987714][T23288] binder: undelivered TRANSACTION_COMPLETE 17:25:18 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:18 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x500, 0x0, 0x0}) [ 2310.019780][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2310.054754][ T9874] device sit0 entered promiscuous mode 17:25:18 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xffffffffa0018000, 0x0, 0xa0008000) 17:25:19 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, 0x0, 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2310.221580][ T9883] binder: 9879:9883 ioctl c0306201 20000380 returned -14 17:25:19 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x5016000000000000) 17:25:19 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2310.331680][ T9884] binder_alloc: binder_alloc_mmap_handler: 9879 20001000-20004000 already mapped failed -16 17:25:19 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, 0x0, 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2310.376761][ T9883] binder: BINDER_SET_CONTEXT_MGR already set [ 2310.460541][ T9883] binder: 9879:9883 ioctl 40046207 0 returned -16 [ 2310.460583][ T9886] binder_alloc: 9879: binder_alloc_buf, no vma [ 2310.473416][T12655] binder: send failed reply for transaction 917 to 9879:9883 [ 2310.492344][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2310.507885][ T9886] binder: 9879:9886 transaction failed 29189/-3, size 24-8 line 3147 [ 2310.509496][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:25:19 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x600, 0x0, 0x0}) [ 2310.563420][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2310.658373][ T9891] device sit0 left promiscuous mode 17:25:19 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xffffffffff600000, 0x0, 0xa0008000) [ 2310.736338][ T9889] misc userio: Invalid payload size [ 2310.742636][ T9899] misc userio: Invalid payload size [ 2310.752995][ T9898] binder_thread_write: 3 callbacks suppressed [ 2310.753010][ T9898] binder: 9897:9898 Release 1 refcount change on invalid ref 0 ret -22 [ 2310.771709][ T9896] device sit0 left promiscuous mode [ 2310.810898][ T9898] binder: 9897:9898 ioctl c0306201 20000380 returned -14 [ 2310.843845][ T9903] binder_alloc: binder_alloc_mmap_handler: 9897 20001000-20004000 already mapped failed -16 [ 2310.903382][ T9898] binder: BINDER_SET_CONTEXT_MGR already set [ 2310.942496][ T9898] binder: 9897:9898 ioctl 40046207 0 returned -16 [ 2310.946215][ T9905] binder_alloc: 9897: binder_alloc_buf, no vma [ 2310.995681][ T9903] binder: 9897:9903 Release 1 refcount change on invalid ref 0 ret -22 [ 2311.050761][T23288] binder: release 9897:9898 transaction 922 out, still active [ 2311.058334][T23288] binder: unexpected work type, 4, not freed [ 2311.070322][ T9903] binder: 9897:9903 ioctl c0306201 20000380 returned -14 [ 2311.080592][ T9905] binder: 9897:9905 transaction failed 29189/-3, size 24-8 line 3147 [ 2311.087660][T23288] binder: undelivered TRANSACTION_COMPLETE 17:25:19 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x8000000000000000) [ 2311.147698][T23288] binder: send failed reply for transaction 922, target dead 17:25:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x700, 0x0, 0x0}) [ 2311.273731][ T9889] device sit0 entered promiscuous mode [ 2311.311562][ T9911] binder: 9910:9911 Release 1 refcount change on invalid ref 0 ret -22 17:25:20 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xfffffffffffffffe, 0x0, 0xa0008000) [ 2311.395270][ T9911] binder: 9910:9911 ioctl c0306201 20000380 returned -14 [ 2311.470009][ T9913] binder_alloc: binder_alloc_mmap_handler: 9910 20001000-20004000 already mapped failed -16 [ 2311.496518][ T9899] device sit0 entered promiscuous mode 17:25:20 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) unshare(0x200) r1 = syz_open_procfs$namespace(0x0, &(0x7f0000000480)='ns/mnt\x00') setns(r1, 0x0) [ 2311.542579][ T9911] binder: BINDER_SET_CONTEXT_MGR already set [ 2311.550102][ T9895] device sit0 entered promiscuous mode 17:25:20 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, 0x0, 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2311.619554][ T9911] binder: 9910:9911 ioctl 40046207 0 returned -16 17:25:20 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0xa00, 0x0, 0x0}) 17:25:20 executing program 3: perf_event_open(&(0x7f0000c86f88)={0x2, 0x70, 0x910, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket(0x80000000000000a, 0x10000000002, 0x0) setsockopt$inet6_int(r1, 0x29, 0x19, &(0x7f0000000040), 0x4) [ 2311.765331][ T9924] device sit0 left promiscuous mode [ 2311.840535][ T9930] binder: BINDER_SET_CONTEXT_MGR already set [ 2311.860324][ T9930] binder: 9923:9930 ioctl 40046207 0 returned -16 [ 2311.867947][ T9930] binder_alloc: 9910: binder_alloc_buf, no vma [ 2311.882741][ T9930] binder: 9923:9930 transaction failed 29189/-3, size 24-8 line 3147 [ 2311.916310][ T9929] misc userio: Invalid payload size [ 2311.946285][ T9934] binder: 9923:9934 Release 1 refcount change on invalid ref 0 ret -22 [ 2311.994893][ T9934] binder: 9923:9934 ioctl c0306201 20000380 returned -14 [ 2312.020119][ T9934] binder_alloc: binder_alloc_mmap_handler: 9923 20001000-20004000 already mapped failed -16 [ 2312.044384][ T9930] binder: BINDER_SET_CONTEXT_MGR already set [ 2312.066141][ T9930] binder: 9923:9930 ioctl 40046207 0 returned -16 [ 2312.084393][ T9934] binder_alloc: 9910: binder_alloc_buf, no vma [ 2312.115279][ T9934] binder: 9923:9934 transaction failed 29189/-3, size 24-8 line 3147 17:25:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x2000, 0x0, 0x0}) [ 2312.276253][ T9937] binder: BINDER_SET_CONTEXT_MGR already set [ 2312.303707][ T9937] binder: 9936:9937 ioctl 40046207 0 returned -16 [ 2312.329218][ T9938] binder_alloc: 9910: binder_alloc_buf, no vma [ 2312.356307][ T9938] binder: 9936:9938 transaction failed 29189/-3, size 24-8 line 3147 [ 2312.368132][ T9937] binder: 9936:9937 Release 1 refcount change on invalid ref 0 ret -22 [ 2312.404501][ T9937] binder: 9936:9937 ioctl c0306201 20000380 returned -14 [ 2312.452643][ T9938] binder_alloc: binder_alloc_mmap_handler: 9936 20001000-20004000 already mapped failed -16 [ 2312.495018][ T9938] binder: BINDER_SET_CONTEXT_MGR already set [ 2312.519163][ T9939] binder_alloc: 9910: binder_alloc_buf, no vma [ 2312.549971][ T9938] binder: 9936:9938 ioctl 40046207 0 returned -16 [ 2312.552527][ T9937] binder: 9936:9937 Release 1 refcount change on invalid ref 0 ret -22 [ 2312.568937][ T9939] binder: 9936:9939 transaction failed 29189/-3, size 24-8 line 3147 [ 2312.618202][ T9937] binder: 9936:9937 ioctl c0306201 20000380 returned -14 17:25:21 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x3f00, 0x0, 0x0}) [ 2312.773973][ T9941] binder: BINDER_SET_CONTEXT_MGR already set [ 2312.803269][ T9941] binder: 9940:9941 ioctl 40046207 0 returned -16 [ 2312.819460][ T9942] binder_alloc: 9910: binder_alloc_buf, no vma [ 2312.836794][ T9942] binder: 9940:9942 transaction failed 29189/-3, size 24-8 line 3147 [ 2312.865592][ T9941] binder: 9940:9941 Release 1 refcount change on invalid ref 0 ret -22 [ 2312.897799][ T9941] binder: 9940:9941 ioctl c0306201 20000380 returned -14 [ 2312.933004][ T9942] binder_alloc: binder_alloc_mmap_handler: 9940 20001000-20004000 already mapped failed -16 [ 2312.976771][ T9942] binder: BINDER_SET_CONTEXT_MGR already set [ 2313.005401][ T9943] binder_alloc: 9910: binder_alloc_buf, no vma [ 2313.020087][ T9942] binder: 9940:9942 ioctl 40046207 0 returned -16 [ 2313.028712][ T9943] binder: 9940:9943 transaction failed 29189/-3, size 24-8 line 3147 17:25:21 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x4800, 0x0, 0x0}) [ 2313.103603][ T9928] device sit0 left promiscuous mode [ 2313.151645][ T9933] device sit0 entered promiscuous mode [ 2313.177054][ T9945] binder: BINDER_SET_CONTEXT_MGR already set [ 2313.192330][ T9945] binder: 9944:9945 ioctl 40046207 0 returned -16 17:25:22 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2313.211494][ T9945] binder_alloc: 9910: binder_alloc_buf, no vma [ 2313.221489][ T9929] device sit0 entered promiscuous mode [ 2313.239245][ T9945] binder: 9944:9945 transaction failed 29189/-3, size 24-8 line 3147 [ 2313.272366][ T9946] binder: 9944:9946 Release 1 refcount change on invalid ref 0 ret -22 [ 2313.317597][ T9946] binder: 9944:9946 ioctl c0306201 20000380 returned -14 [ 2313.338714][ T9946] binder_alloc: binder_alloc_mmap_handler: 9944 20001000-20004000 already mapped failed -16 [ 2313.363693][ T9945] binder: BINDER_SET_CONTEXT_MGR already set [ 2313.377844][ T9945] binder: 9944:9945 ioctl 40046207 0 returned -16 [ 2313.392440][ T9946] binder_alloc: 9910: binder_alloc_buf, no vma [ 2313.405715][ T9946] binder: 9944:9946 transaction failed 29189/-3, size 24-8 line 3147 [ 2313.425297][ T9950] binder: 9944:9950 Release 1 refcount change on invalid ref 0 ret -22 [ 2313.458800][ T9950] binder: 9944:9950 ioctl c0306201 20000380 returned -14 [ 2314.229190][T12655] binder_release_work: 1 callbacks suppressed [ 2314.229198][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2314.241788][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2314.248216][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2314.254668][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2314.261117][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2314.267484][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2314.273917][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2314.280337][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2314.286777][T12655] binder: send failed reply for transaction 927 to 9910:9911 [ 2314.294443][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2314.300632][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2314.307145][ T9948] device sit0 left promiscuous mode 17:25:23 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xf0ffffff00000000) 17:25:23 executing program 3: perf_event_open(&(0x7f0000000580)={0x2, 0x70, 0x5c63, 0x10000000000002, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='children\x00') read$alg(r0, 0x0, 0x0) [ 2314.351792][ T9949] device sit0 entered promiscuous mode 17:25:23 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008002) 17:25:23 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, 0x0, 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x4c00, 0x0, 0x0}) [ 2314.453573][ T9957] device sit0 left promiscuous mode [ 2314.462632][ T9959] binder: 9958:9959 Release 1 refcount change on invalid ref 0 ret -22 17:25:23 executing program 3: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000280)='/dev/ptmx\x00', 0x0, 0x0) ioctl$TIOCSETD(r0, 0x5412, &(0x7f0000000100)) 17:25:23 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2314.512097][ T9959] binder: 9958:9959 ioctl c0306201 20000380 returned -14 [ 2314.573588][ T9961] misc userio: Invalid payload size [ 2314.581251][ T9964] binder_alloc: binder_alloc_mmap_handler: 9958 20001000-20004000 already mapped failed -16 [ 2314.630113][ T9959] binder: BINDER_SET_CONTEXT_MGR already set [ 2314.636152][ T9959] binder: 9958:9959 ioctl 40046207 0 returned -16 [ 2314.689149][ T9971] binder_alloc: 9958: binder_alloc_buf, no vma [ 2314.723601][ T9971] binder: 9958:9971 transaction failed 29189/-3, size 24-8 line 3147 [ 2314.742325][ T9959] binder: 9958:9959 ioctl c0306201 20000380 returned -14 [ 2314.751281][T12655] binder: release 9958:9959 transaction 939 out, still active [ 2314.763751][T12655] binder: unexpected work type, 4, not freed [ 2314.778929][T12655] binder: undelivered TRANSACTION_COMPLETE 17:25:23 executing program 3: r0 = socket$inet(0x2, 0x4000080000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80200000000012, &(0x7f0000000080)=0x82, 0x4) setsockopt$sock_int(r0, 0x1, 0x7, &(0x7f00000000c0), 0x4) timer_create(0x0, 0x0, 0x0) timer_create(0x0, 0x0, 0x0) timer_create(0x5, 0x0, 0x0) timer_create(0x0, 0x0, 0x0) timer_create(0x0, 0x0, 0x0) timer_create(0x5, &(0x7f0000000180)={0x0, 0x7, 0x0, @thr={&(0x7f0000000280)="629f2c479149bcfd604c6deaedfa6bbe7f191a6cac544ad637d5bcada2a47b74156f609342b65d28f49a772381d4f6a26b6607fbe483586b38863e8bdf62d55059ff64af17db44c7d2347d1894b4d9fefcb82a923c1f03019595c1510fd70fc94fcdc44af40b1a3cd4b00c1fbb930bec2cf8ce9c8fc84ea341abd2d01bcca5a7f689551353fc5f80b920b78a959879500e5d08777fe4a698bb777c06ca0f4695ab7c0509", 0x0}}, 0x0) timer_create(0x2, &(0x7f0000000480)={0x0, 0x28, 0x1, @thr={&(0x7f0000000380)="5f5c41c043e730f47068e05e36a4e766b1bb962a460d387426d196e739fb219b7ac22df1df6a0fb15f60956a33dc7885e82a000aa935645391047fbe7306576dabfbf3492a354e011b58ca4c9d86d47b9d16e7a6359e65ad2f78ffb0f3ac9b46811834c60afb56dc2ffc33c87fdfc6086689057003fb6256992012bb030273ab12066ec4f2eda6d155a6312494d5aeb84fe9842b392436", 0x0}}, 0x0) timer_create(0x7, &(0x7f0000000540)={0x0, 0x36, 0x0, @tid=0xffffffffffffffff}, 0x0) timer_create(0x7, &(0x7f0000000700)={0x0, 0x37, 0x0, @thr={&(0x7f0000000640), 0x0}}, 0x0) timer_create(0x4, &(0x7f0000000440)={0x0, 0x1b, 0x2, @thr={&(0x7f0000000140), 0x0}}, 0x0) timer_delete(0x0) bind$inet(r0, &(0x7f0000deb000)={0x2, 0x4e23, @loopback}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000000000)={0x2, 0x4e23, @loopback}, 0x10) write$binfmt_elf64(0xffffffffffffffff, 0x0, 0x0) accept4$packet(0xffffffffffffffff, 0x0, 0x0, 0x0) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) ioctl$sock_inet_SIOCSIFDSTADDR(0xffffffffffffffff, 0x8918, 0x0) getpeername$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_tcp_SIOCATMARK(0xffffffffffffffff, 0x8905, 0x0) fcntl$dupfd(0xffffffffffffffff, 0x0, 0xffffffffffffffff) ioctl$sock_inet6_udp_SIOCINQ(0xffffffffffffffff, 0x541b, 0x0) write$binfmt_script(r0, &(0x7f0000000100)=ANY=[@ANYRES64], 0x8) ioctl$TCGETA(0xffffffffffffffff, 0x5405, 0x0) fsetxattr$trusted_overlay_opaque(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) fcntl$getflags(0xffffffffffffffff, 0x0) setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000040), 0x4) openat(0xffffffffffffff9c, 0x0, 0x0, 0x0) getpid() ioctl$sock_inet_SIOCGARP(0xffffffffffffffff, 0x8955, 0x0) wait4(0x0, 0x0, 0x0, 0x0) accept4(0xffffffffffffffff, 0x0, 0x0, 0x0) write$binfmt_elf64(r0, &(0x7f00000016c0)=ANY=[@ANYPTR=&(0x7f00000005c0)=ANY=[@ANYPTR=&(0x7f00000004c0)=ANY=[@ANYRES16], @ANYRES32, @ANYRES64=0x0, @ANYPTR=&(0x7f0000000580)=ANY=[@ANYPTR64, @ANYRESHEX, @ANYPTR64, @ANYRES32=0x0]], @ANYRESDEC, @ANYRES16], 0xffffff84) recvmsg(r0, &(0x7f0000000240)={&(0x7f0000000740)=@nfc, 0x80, &(0x7f00000001c0)=[{&(0x7f0000003ac0)=""/4096, 0xff9a}], 0x1, &(0x7f0000000200)=""/20, 0x14}, 0x100) 17:25:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6000, 0x0, 0x0}) [ 2314.793877][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2314.806181][T12655] binder: send failed reply for transaction 939, target dead 17:25:23 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xfeffffffffffffff) 17:25:23 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008003) [ 2314.888198][ T9978] binder: 9977:9978 ioctl c0306201 20000380 returned -14 [ 2314.937634][ T9981] binder_alloc: binder_alloc_mmap_handler: 9977 20001000-20004000 already mapped failed -16 [ 2315.029006][T23288] binder: send failed reply for transaction 944 to 9977:9978 [ 2315.039709][T23288] binder: undelivered TRANSACTION_COMPLETE 17:25:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6800, 0x0, 0x0}) [ 2315.127392][ T9961] device sit0 entered promiscuous mode 17:25:24 executing program 3: r0 = socket$inet(0x2, 0x3, 0x19) connect$inet(0xffffffffffffffff, &(0x7f0000000000)={0x2, 0x0, @local}, 0xf5) setsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x23, &(0x7f0000000000)={{{@in=@multicast2, @in=@multicast1}}, {{@in6}, 0x0, @in6=@loopback}}, 0xe8) setsockopt$inet_msfilter(r0, 0x0, 0x29, &(0x7f0000000100)={@multicast2, @local, 0x0, 0x1, [@local]}, 0x14) [ 2315.316818][ T9989] binder: 9988:9989 ioctl c0306201 20000380 returned -14 [ 2315.386197][ T9992] binder_alloc: binder_alloc_mmap_handler: 9988 20001000-20004000 already mapped failed -16 [ 2315.430811][ T9989] binder: BINDER_SET_CONTEXT_MGR already set [ 2315.454842][ T9972] device sit0 left promiscuous mode [ 2315.463495][ T9989] binder: 9988:9989 ioctl 40046207 0 returned -16 17:25:24 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xffefffffff7f0000) 17:25:24 executing program 1: r0 = perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140)='/dev/ptmx\x00', 0x0, 0x0) dup2(r0, r1) [ 2315.521685][ T9974] device sit0 entered promiscuous mode [ 2315.527475][T12655] binder: send failed reply for transaction 949 to 9988:9989 [ 2315.556703][T12655] binder: undelivered TRANSACTION_COMPLETE 17:25:24 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008009) 17:25:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6c00, 0x0, 0x0}) 17:25:24 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:24 executing program 3: [ 2315.687954][T10005] binder: 10002:10005 ioctl c0306201 20000380 returned -14 [ 2315.746289][T10007] binder_alloc: binder_alloc_mmap_handler: 10002 20001000-20004000 already mapped failed -16 17:25:24 executing program 3: [ 2315.794358][T10010] device sit0 left promiscuous mode [ 2315.806026][T10005] binder: BINDER_SET_CONTEXT_MGR already set [ 2315.829195][T10005] binder: 10002:10005 ioctl 40046207 0 returned -16 [ 2315.831545][T12655] binder: release 10002:10005 transaction 953 out, still active [ 2315.877722][T10013] device sit0 entered promiscuous mode [ 2315.883380][T12655] binder: unexpected work type, 4, not freed [ 2315.889371][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2315.889467][T12655] binder: send failed reply for transaction 953, target dead 17:25:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x7400, 0x0, 0x0}) 17:25:24 executing program 3: 17:25:24 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:24 executing program 3: [ 2316.047302][T10018] binder_thread_write: 4 callbacks suppressed [ 2316.047317][T10018] binder: 10017:10018 Release 1 refcount change on invalid ref 0 ret -22 [ 2316.080348][T10018] binder: 10017:10018 ioctl c0306201 20000380 returned -14 [ 2316.127743][T10022] binder_alloc: binder_alloc_mmap_handler: 10017 20001000-20004000 already mapped failed -16 [ 2316.138182][T10023] device sit0 left promiscuous mode [ 2316.150579][T10018] binder: BINDER_SET_CONTEXT_MGR already set [ 2316.163282][T10022] binder_alloc_new_buf_locked: 2 callbacks suppressed [ 2316.163289][T10022] binder_alloc: 10017: binder_alloc_buf, no vma 17:25:25 executing program 3: [ 2316.203017][T10025] binder: 10017:10025 Release 1 refcount change on invalid ref 0 ret -22 [ 2316.203092][T12655] binder: release 10017:10018 transaction 958 out, still active [ 2316.219687][T10018] binder: 10017:10018 ioctl 40046207 0 returned -16 [ 2316.234494][T12655] binder: unexpected work type, 4, not freed [ 2316.259049][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2316.280572][T12655] binder: send failed reply for transaction 958, target dead [ 2316.283045][T10024] device sit0 entered promiscuous mode [ 2316.304934][T10025] binder: 10017:10025 ioctl c0306201 20000380 returned -14 [ 2316.322537][T10022] binder_transaction: 2 callbacks suppressed [ 2316.322554][T10022] binder: 10017:10022 transaction failed 29189/-3, size 24-8 line 3147 17:25:26 executing program 3: 17:25:26 executing program 1: 17:25:26 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa00080fe) 17:25:26 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x7a00, 0x0, 0x0}) 17:25:26 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xffffffff00000000) 17:25:26 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:26 executing program 3: 17:25:26 executing program 1: 17:25:26 executing program 3: [ 2317.931045][T10035] device sit0 left promiscuous mode [ 2317.937186][T10036] binder: 10029:10036 Release 1 refcount change on invalid ref 0 ret -22 17:25:26 executing program 1: [ 2317.976320][T10036] binder: 10029:10036 ioctl c0306201 20000380 returned -14 17:25:26 executing program 3: [ 2318.031172][T10042] binder_alloc: binder_alloc_mmap_handler: 10029 20001000-20004000 already mapped failed -16 [ 2318.054579][T10039] device sit0 entered promiscuous mode [ 2318.075111][T10036] binder: BINDER_SET_CONTEXT_MGR already set 17:25:26 executing program 1: [ 2318.109143][T10036] binder: 10029:10036 ioctl 40046207 0 returned -16 17:25:27 executing program 3: [ 2318.192064][T10047] binder_alloc: 10029: binder_alloc_buf, no vma 17:25:27 executing program 1: [ 2318.290619][T10047] binder: 10029:10047 transaction failed 29189/-3, size 24-8 line 3147 [ 2318.299089][T12655] binder: send failed reply for transaction 963 to 10029:10036 [ 2318.351295][T12655] binder: undelivered TRANSACTION_COMPLETE 17:25:27 executing program 0: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$VIDIOC_DBG_G_CHIP_INFO(r0, 0xc0c85666, &(0x7f00000001c0)={{0x7, @name="5bd037969278baa42c3fc5d803f615ffb3b19b093f58aa3405db8c251f81d5a7"}, "14159bad1f896c6205cc1515a18196df878635b96c44b7e483b61ef507a39a82", 0x1}) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) r2 = geteuid() setxattr$security_capability(&(0x7f0000000340)='./file0\x00', &(0x7f0000000380)='security.capability\x00', &(0x7f00000003c0)=@v3={0x3000000, [{0xfffffffffffffe00, 0x2}, {0x7, 0x1}], r2}, 0x18, 0x3) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r4 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r5 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r6 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) ioctl$sock_inet_SIOCADDRT(r4, 0x890b, &(0x7f0000000140)={0x0, {0x2, 0x4e23, @remote}, {0x2, 0x4e22, @remote}, {0x2, 0x4e22, @local}, 0x80, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000100)='bond0\x00', 0x4, 0x1, 0x8}) syz_kvm_setup_cpu$x86(r5, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) bpf$OBJ_PIN_PROG(0x6, &(0x7f0000000300)={&(0x7f00000002c0)='./file0\x00', r5}, 0x10) 17:25:27 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xffffffffa0008000) 17:25:27 executing program 1: 17:25:27 executing program 3: 17:25:27 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x1000000, 0x0, 0x0}) 17:25:27 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2318.544311][T10054] binder: 10053:10054 Release 1 refcount change on invalid ref 0 ret -22 [ 2318.585325][T10057] device sit0 left promiscuous mode 17:25:27 executing program 3: 17:25:27 executing program 1: perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000080)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) clone(0x2102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() clone(0x291ffff, 0x0, 0x0, 0x0, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) clock_nanosleep(0x3, 0x0, 0x0, 0x0) tkill(r0, 0x11) wait4(0x0, 0x0, 0x0, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, &(0x7f00000016c0)) [ 2318.611256][T10054] binder: 10053:10054 ioctl c0306201 20000380 returned -14 [ 2318.656281][T10063] binder_alloc: binder_alloc_mmap_handler: 10053 20001000-20004000 already mapped failed -16 17:25:27 executing program 3: perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x0, 0x0) 17:25:27 executing program 1: r0 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x2, 0x9, 0x0, 0x0, 0x2}, 0x10}}, 0x0) [ 2318.750627][T10062] device sit0 entered promiscuous mode [ 2318.759374][T10054] binder: BINDER_SET_CONTEXT_MGR already set [ 2318.804672][T10054] binder: 10053:10054 ioctl 40046207 0 returned -16 [ 2318.819115][T10063] binder_alloc: 10053: binder_alloc_buf, no vma [ 2318.873075][T12655] binder: release 10053:10054 transaction 968 out, still active [ 2318.891381][T12655] binder: unexpected work type, 4, not freed 17:25:27 executing program 3: r0 = perf_event_open(&(0x7f0000940000)={0x2, 0x70, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x802, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x8) sendmmsg$unix(r2, &(0x7f00000bd000), 0x80, 0x0) dup2(r0, r1) [ 2318.918624][T10063] binder: 10053:10063 transaction failed 29189/-3, size 24-8 line 3147 [ 2318.934560][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2318.981531][T12655] binder: send failed reply for transaction 968, target dead 17:25:27 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x2000000, 0x0, 0x0}) 17:25:28 executing program 1: perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x86080, 0x0) 17:25:28 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xffffffffa0018000) 17:25:28 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa00080fe) 17:25:28 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000100)='/dev/admmidi#\x00', 0x6fea, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000080)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) setsockopt$RXRPC_MIN_SECURITY_LEVEL(r2, 0x110, 0x4, &(0x7f0000000040)=0x2, 0x4) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2319.190874][T10083] binder: 10082:10083 transaction failed 29189/-22, size 24-8 line 2994 [ 2319.278065][T10090] binder: 10082:10090 transaction failed 29189/-22, size 24-8 line 2994 [ 2319.324323][T12655] binder_release_work: 8 callbacks suppressed [ 2319.324331][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2319.341839][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:25:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x3000000, 0x0, 0x0}) 17:25:28 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:28 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2319.520234][T10098] device sit0 left promiscuous mode [ 2319.540238][T10103] binder: 10096:10103 Release 1 refcount change on invalid ref 0 ret -22 [ 2319.568376][T10103] binder: 10096:10103 ioctl c0306201 20000380 returned -14 [ 2319.617084][T10100] device sit0 left promiscuous mode [ 2319.632066][T10107] binder_alloc: binder_alloc_mmap_handler: 10096 20001000-20004000 already mapped failed -16 [ 2319.637536][T10106] misc userio: Invalid payload size [ 2319.661080][T10107] binder: BINDER_SET_CONTEXT_MGR already set 17:25:28 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xffffffffff600000) 17:25:28 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa00080fe) [ 2319.685554][T10107] binder: 10096:10107 ioctl 40046207 0 returned -16 [ 2319.710189][T10103] binder: 10096:10103 Release 1 refcount change on invalid ref 0 ret -22 [ 2319.763044][T12655] binder: release 10096:10103 transaction 975 out, still active [ 2319.774801][T10103] binder: 10096:10103 ioctl c0306201 20000380 returned -14 [ 2319.791828][T12655] binder: unexpected work type, 4, not freed [ 2319.821942][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2319.862989][T12655] binder: send failed reply for transaction 975, target dead 17:25:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x4000000, 0x0, 0x0}) [ 2320.019656][T10118] binder: 10117:10118 Release 1 refcount change on invalid ref 0 ret -22 [ 2320.083893][T10118] binder: 10117:10118 ioctl c0306201 20000380 returned -14 17:25:28 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) ioctl$PERF_EVENT_IOC_DISABLE(r2, 0x2401, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) write$RDMA_USER_CM_CMD_JOIN_MCAST(r1, &(0x7f0000000180)={0x16, 0x98, 0xfa00, {&(0x7f0000000140)={0xffffffffffffffff}, 0x3, 0xffffffffffffffff, 0x3c, 0x0, @in={0x2, 0x4e24, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0xa0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, &(0x7f0000000240)={0x11, 0x10, 0xfa00, {&(0x7f0000000100), r4}}, 0x18) r5 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0) r6 = dup(r5) getsockopt$inet_sctp6_SCTP_CONTEXT(r6, 0x84, 0x11, 0x0, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$sock_bt_bnep_BNEPCONNDEL(r6, 0x400442c9, &(0x7f0000000280)={0x7fffffff, @dev={[], 0x1b}}) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r7 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r8, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) connect$bt_l2cap(r5, &(0x7f00000002c0)={0x1f, 0x6, {0x8, 0x3f, 0xc2f1, 0x7, 0x40, 0xfffffffffffffff9}, 0x7f, 0x62c}, 0xe) [ 2320.131384][T10119] binder_alloc: binder_alloc_mmap_handler: 10117 20001000-20004000 already mapped failed -16 [ 2320.147909][T10118] binder: BINDER_SET_CONTEXT_MGR already set [ 2320.191705][T10118] binder: 10117:10118 ioctl 40046207 0 returned -16 [ 2320.266084][T10122] binder_alloc: 10117: binder_alloc_buf, no vma [ 2320.274692][T10098] device sit0 entered promiscuous mode 17:25:29 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xfffffffffffffffe) [ 2320.309411][T10122] binder: 10117:10122 transaction failed 29189/-3, size 24-8 line 3147 [ 2320.366349][T10109] device sit0 entered promiscuous mode 17:25:29 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x0, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x5000000, 0x0, 0x0}) 17:25:29 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:29 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2320.598772][T10130] binder: BINDER_SET_CONTEXT_MGR already set [ 2320.607430][T10128] device sit0 left promiscuous mode [ 2320.640155][T10130] binder: 10129:10130 ioctl 40046207 0 returned -16 [ 2320.689228][T10130] binder_alloc: 10117: binder_alloc_buf, no vma [ 2320.734463][T10130] binder: 10129:10130 transaction failed 29189/-3, size 24-8 line 3147 [ 2320.765078][T10136] device sit0 left promiscuous mode [ 2320.790973][T10139] misc userio: Invalid payload size [ 2320.793038][T10137] binder: 10129:10137 Release 1 refcount change on invalid ref 0 ret -22 [ 2320.821482][T10140] misc userio: Invalid payload size [ 2320.847685][T10137] binder: 10129:10137 ioctl c0306201 20000380 returned -14 [ 2320.900647][T10130] binder_alloc: binder_alloc_mmap_handler: 10129 20001000-20004000 already mapped failed -16 [ 2320.920259][T10130] binder: BINDER_SET_CONTEXT_MGR already set [ 2320.928870][T10130] binder: 10129:10130 ioctl 40046207 0 returned -16 [ 2320.936124][T10137] binder_alloc: 10117: binder_alloc_buf, no vma [ 2320.990118][T10137] binder: 10129:10137 transaction failed 29189/-3, size 24-8 line 3147 17:25:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6000000, 0x0, 0x0}) [ 2321.124903][T10143] binder: BINDER_SET_CONTEXT_MGR already set [ 2321.136783][T10143] binder: 10142:10143 ioctl 40046207 0 returned -16 [ 2321.166746][T10143] binder_alloc: 10117: binder_alloc_buf, no vma [ 2321.190477][T10143] binder: 10142:10143 transaction failed 29189/-3, size 24-8 line 3147 [ 2321.216503][T10144] binder: 10142:10144 Release 1 refcount change on invalid ref 0 ret -22 [ 2321.247349][T10144] binder: 10142:10144 ioctl c0306201 20000380 returned -14 [ 2321.287036][T10144] binder_alloc: binder_alloc_mmap_handler: 10142 20001000-20004000 already mapped failed -16 [ 2321.336039][T10143] binder: BINDER_SET_CONTEXT_MGR already set [ 2321.342686][T10143] binder: 10142:10143 ioctl 40046207 0 returned -16 [ 2321.349416][T10145] binder_alloc: 10117: binder_alloc_buf, no vma [ 2321.373884][T10145] binder: 10142:10145 transaction failed 29189/-3, size 24-8 line 3147 17:25:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x7000000, 0x0, 0x0}) [ 2321.541637][T10147] binder: BINDER_SET_CONTEXT_MGR already set [ 2321.547664][T10147] binder: 10146:10147 ioctl 40046207 0 returned -16 [ 2321.610986][T10148] binder_alloc: 10117: binder_alloc_buf, no vma [ 2321.629946][T10148] binder: 10146:10148 transaction failed 29189/-3, size 24-8 line 3147 [ 2321.657360][T10147] binder: 10146:10147 Release 1 refcount change on invalid ref 0 ret -22 [ 2321.695760][T10147] binder: 10146:10147 ioctl c0306201 20000380 returned -14 [ 2321.736780][T10148] binder_alloc: binder_alloc_mmap_handler: 10146 20001000-20004000 already mapped failed -16 [ 2321.776538][T10147] binder: BINDER_SET_CONTEXT_MGR already set [ 2321.797520][T10147] binder: 10146:10147 ioctl 40046207 0 returned -16 [ 2321.819708][T10148] binder_alloc: 10117: binder_alloc_buf, no vma [ 2321.843141][T10148] binder: 10146:10148 transaction failed 29189/-3, size 24-8 line 3147 [ 2321.872596][T10135] device sit0 left promiscuous mode 17:25:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0xa000000, 0x0, 0x0}) [ 2321.977718][T10151] binder: BINDER_SET_CONTEXT_MGR already set [ 2321.990006][T10151] binder: 10150:10151 ioctl 40046207 0 returned -16 [ 2322.006430][T10151] binder_alloc: 10117: binder_alloc_buf, no vma [ 2322.035510][T10151] binder: 10150:10151 transaction failed 29189/-3, size 24-8 line 3147 [ 2322.069431][T10151] binder: 10150:10151 Release 1 refcount change on invalid ref 0 ret -22 [ 2322.093481][T10151] binder: 10150:10151 ioctl c0306201 20000380 returned -14 [ 2322.130422][T10152] binder_alloc: binder_alloc_mmap_handler: 10150 20001000-20004000 already mapped failed -16 [ 2322.161341][T10134] device sit0 entered promiscuous mode [ 2322.171834][T10151] binder: BINDER_SET_CONTEXT_MGR already set [ 2322.192244][T10151] binder: 10150:10151 ioctl 40046207 0 returned -16 17:25:31 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x0, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2322.219837][T10153] binder_alloc: 10117: binder_alloc_buf, no vma [ 2322.225332][T10139] device sit0 entered promiscuous mode [ 2322.239607][T10153] binder: 10150:10153 transaction failed 29189/-3, size 24-8 line 3147 [ 2322.295097][T10138] device sit0 entered promiscuous mode 17:25:31 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x20000000, 0x0, 0x0}) [ 2322.454989][T10160] binder: BINDER_SET_CONTEXT_MGR already set [ 2322.470010][T10160] binder: 10159:10160 ioctl 40046207 0 returned -16 [ 2322.485915][T10160] binder_alloc: 10117: binder_alloc_buf, no vma [ 2322.514475][T10160] binder: 10159:10160 transaction failed 29189/-3, size 24-8 line 3147 [ 2322.527729][T10161] misc userio: Invalid payload size [ 2322.537471][T10162] binder: 10159:10162 Release 1 refcount change on invalid ref 0 ret -22 [ 2322.558597][T10162] binder: 10159:10162 ioctl c0306201 20000380 returned -14 [ 2322.582613][T10162] binder_alloc: binder_alloc_mmap_handler: 10159 20001000-20004000 already mapped failed -16 [ 2322.605963][T10160] binder: BINDER_SET_CONTEXT_MGR already set [ 2322.621534][T10160] binder: 10159:10160 ioctl 40046207 0 returned -16 [ 2322.637792][T10162] binder_alloc: 10117: binder_alloc_buf, no vma [ 2322.656062][T10162] binder: 10159:10162 transaction failed 29189/-3, size 24-8 line 3147 [ 2323.405493][T10155] device sit0 left promiscuous mode [ 2323.440492][T10156] device sit0 entered promiscuous mode [ 2323.468690][T10158] device sit0 left promiscuous mode [ 2323.734942][T10161] device sit0 entered promiscuous mode [ 2323.772100][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2323.778399][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2323.790589][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2323.796819][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2323.810598][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2323.822061][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2323.828462][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2323.834828][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2323.841399][T12655] binder: send failed reply for transaction 979 to 10117:10118 [ 2323.849011][T12655] binder: undelivered TRANSACTION_COMPLETE 17:25:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x3f000000, 0x0, 0x0}) 17:25:33 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x0, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:33 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:33 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:33 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) keyctl$session_to_parent(0x12) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:33 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$vfio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/vfio/vfio\x00', 0x100, 0x0) ioctl$TIOCLINUX5(r0, 0x541c, &(0x7f0000000200)={0x5, 0x7f, 0x60000000, 0x8, 0x7}) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x40) openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000140)='/dev/btrfs-control\x00', 0x2, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) removexattr(&(0x7f0000000100)='./file0\x00', &(0x7f0000000180)=@known='trusted.syz\x00') mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2325.201300][T10166] device sit0 left promiscuous mode [ 2325.234007][T10169] binder: 10164:10169 Release 1 refcount change on invalid ref 0 ret -22 [ 2325.251600][T10174] misc userio: Invalid payload size [ 2325.267221][T10169] binder: 10164:10169 ioctl c0306201 20000380 returned -14 [ 2325.308237][T10178] misc userio: Invalid payload size [ 2325.311053][T10179] binder_alloc: binder_alloc_mmap_handler: 10164 20001000-20004000 already mapped failed -16 [ 2325.385920][T10169] binder: BINDER_SET_CONTEXT_MGR already set [ 2325.422385][T10169] binder: 10164:10169 ioctl 40046207 0 returned -16 [ 2325.423066][T10180] binder_alloc: 10164: binder_alloc_buf, no vma [ 2325.479731][T10179] binder: 10164:10179 Release 1 refcount change on invalid ref 0 ret -22 [ 2325.532649][T23288] binder: release 10164:10169 transaction 994 out, still active [ 2325.541249][T10179] binder: 10164:10179 ioctl c0306201 20000380 returned -14 [ 2325.557083][T23288] binder: unexpected work type, 4, not freed [ 2325.590656][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2325.603019][T10180] binder: 10164:10180 transaction failed 29189/-3, size 24-8 line 3147 [ 2325.622063][T23288] binder: send failed reply for transaction 994, target dead 17:25:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x48000000, 0x0, 0x0}) [ 2325.652033][T23288] binder_release_work: 4 callbacks suppressed [ 2325.652040][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2325.848805][T10187] binder: 10186:10187 Release 1 refcount change on invalid ref 0 ret -22 [ 2325.897703][T10187] binder: 10186:10187 ioctl c0306201 20000380 returned -14 [ 2325.937728][T10188] binder_alloc: binder_alloc_mmap_handler: 10186 20001000-20004000 already mapped failed -16 [ 2326.038406][T10189] binder: BINDER_SET_CONTEXT_MGR already set [ 2326.064895][T10187] binder_alloc: 10186: binder_alloc_buf, no vma [ 2326.098252][T10189] binder: 10186:10189 ioctl 40046207 0 returned -16 [ 2326.123014][T10187] binder: 10186:10187 transaction failed 29189/-3, size 24-8 line 3147 [ 2326.140401][T25500] binder: release 10186:10187 transaction 999 out, still active [ 2326.149537][T10170] device sit0 left promiscuous mode [ 2326.164135][T25500] binder: unexpected work type, 4, not freed 17:25:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x4c000000, 0x0, 0x0}) [ 2326.194901][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2326.217234][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2326.241934][T25500] binder: send failed reply for transaction 999, target dead [ 2326.278205][T10171] device sit0 left promiscuous mode [ 2326.289405][T10191] binder: 10190:10191 Release 1 refcount change on invalid ref 0 ret -22 [ 2326.333905][T10191] binder: 10190:10191 ioctl c0306201 20000380 returned -14 [ 2326.378484][T10192] binder_alloc: binder_alloc_mmap_handler: 10190 20001000-20004000 already mapped failed -16 [ 2326.398822][T10191] binder: BINDER_SET_CONTEXT_MGR already set [ 2326.444397][T10191] binder: 10190:10191 ioctl 40046207 0 returned -16 17:25:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x60000000, 0x0, 0x0}) [ 2326.647401][T10195] binder: BINDER_SET_CONTEXT_MGR already set [ 2326.674834][T10174] device sit0 entered promiscuous mode [ 2326.680324][T10195] binder: 10194:10195 ioctl 40046207 0 returned -16 [ 2326.720456][T10195] binder_alloc: 10190: binder_alloc_buf, no vma [ 2326.741735][T10176] device sit0 entered promiscuous mode [ 2326.746634][T10195] binder: 10194:10195 transaction failed 29189/-3, size 24-8 line 3147 17:25:35 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xf0ffffff00000000) [ 2326.809458][T10196] binder: 10194:10196 Release 1 refcount change on invalid ref 0 ret -22 [ 2326.819558][T10178] device sit0 entered promiscuous mode [ 2326.840139][T10196] binder: 10194:10196 ioctl c0306201 20000380 returned -14 17:25:35 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r1 = dup(0xffffffffffffffff) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r1, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2326.887530][T10196] binder_alloc: binder_alloc_mmap_handler: 10194 20001000-20004000 already mapped failed -16 17:25:35 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xfffffffffffffffe, 0x0, 0xa0008000) [ 2326.956897][T10195] binder: BINDER_SET_CONTEXT_MGR already set [ 2326.991405][T10195] binder: 10194:10195 ioctl 40046207 0 returned -16 [ 2326.991709][T10201] binder_alloc: 10190: binder_alloc_buf, no vma [ 2327.195511][T10201] binder: 10194:10201 transaction failed 29189/-3, size 24-8 line 3147 17:25:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x68000000, 0x0, 0x0}) [ 2327.456767][T10208] binder: BINDER_SET_CONTEXT_MGR already set [ 2327.493202][T10208] binder: 10207:10208 ioctl 40046207 0 returned -16 [ 2327.537744][T10209] binder_alloc: 10190: binder_alloc_buf, no vma [ 2327.563698][T10209] binder: 10207:10209 transaction failed 29189/-3, size 24-8 line 3147 [ 2327.586958][T10208] binder: 10207:10208 Release 1 refcount change on invalid ref 0 ret -22 [ 2327.600376][T10208] binder: 10207:10208 ioctl c0306201 20000380 returned -14 [ 2327.626495][T10209] binder_alloc: binder_alloc_mmap_handler: 10207 20001000-20004000 already mapped failed -16 [ 2327.658966][T10208] binder: BINDER_SET_CONTEXT_MGR already set [ 2327.684300][T10208] binder: 10207:10208 ioctl 40046207 0 returned -16 [ 2327.707343][T10209] binder_alloc: 10190: binder_alloc_buf, no vma [ 2327.728882][T10209] binder: 10207:10209 transaction failed 29189/-3, size 24-8 line 3147 17:25:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6c000000, 0x0, 0x0}) [ 2327.865717][T10212] binder: BINDER_SET_CONTEXT_MGR already set [ 2327.885748][T10212] binder: 10211:10212 ioctl 40046207 0 returned -16 [ 2327.914889][T10212] binder_alloc: 10190: binder_alloc_buf, no vma [ 2327.937259][T10212] binder: 10211:10212 transaction failed 29189/-3, size 24-8 line 3147 17:25:36 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000100)=0x8) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2327.979549][T10213] binder: 10211:10213 Release 1 refcount change on invalid ref 0 ret -22 [ 2328.013608][T10213] binder: 10211:10213 ioctl c0306201 20000380 returned -14 [ 2328.045883][T10213] binder_alloc: binder_alloc_mmap_handler: 10211 20001000-20004000 already mapped failed -16 [ 2328.108242][T10212] binder: BINDER_SET_CONTEXT_MGR already set [ 2328.139682][T10212] binder: 10211:10212 ioctl 40046207 0 returned -16 [ 2328.139764][T10216] binder_alloc: 10190: binder_alloc_buf, no vma [ 2328.206566][T10216] binder: 10211:10216 transaction failed 29189/-3, size 24-8 line 3147 17:25:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x74000000, 0x0, 0x0}) [ 2328.354825][T10219] binder: BINDER_SET_CONTEXT_MGR already set [ 2328.390021][T10219] binder: 10218:10219 ioctl 40046207 0 returned -16 [ 2328.397497][T10219] binder_alloc: 10190: binder_alloc_buf, no vma [ 2328.419497][T10219] binder: 10218:10219 transaction failed 29189/-3, size 24-8 line 3147 [ 2328.435579][T10219] binder: 10218:10219 Release 1 refcount change on invalid ref 0 ret -22 [ 2328.446802][T10219] binder: 10218:10219 ioctl c0306201 20000380 returned -14 [ 2328.463953][T10221] binder_alloc: binder_alloc_mmap_handler: 10218 20001000-20004000 already mapped failed -16 [ 2328.481511][T10219] binder: BINDER_SET_CONTEXT_MGR already set [ 2328.487807][T10219] binder: 10218:10219 ioctl 40046207 0 returned -16 [ 2328.501895][T10221] binder_alloc: 10190: binder_alloc_buf, no vma [ 2328.508422][T10221] binder: 10218:10221 transaction failed 29189/-3, size 24-8 line 3147 17:25:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x7a000000, 0x0, 0x0}) [ 2328.604923][T10223] binder: BINDER_SET_CONTEXT_MGR already set [ 2328.613608][T10223] binder: 10222:10223 ioctl 40046207 0 returned -16 [ 2328.626231][T10223] binder_alloc: 10190: binder_alloc_buf, no vma [ 2328.635628][T10223] binder: 10222:10223 transaction failed 29189/-3, size 24-8 line 3147 [ 2328.649720][T10223] binder: 10222:10223 Release 1 refcount change on invalid ref 0 ret -22 [ 2328.666914][T10223] binder: 10222:10223 ioctl c0306201 20000380 returned -14 [ 2328.677673][T10224] binder_alloc: binder_alloc_mmap_handler: 10222 20001000-20004000 already mapped failed -16 [ 2328.695222][T10223] binder: BINDER_SET_CONTEXT_MGR already set [ 2328.704253][T10223] binder: 10222:10223 ioctl 40046207 0 returned -16 [ 2328.717059][T10224] binder_alloc: 10190: binder_alloc_buf, no vma [ 2328.724966][T10224] binder: 10222:10224 transaction failed 29189/-3, size 24-8 line 3147 [ 2329.080633][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2329.086893][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2329.093230][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2329.099474][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2329.111935][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2329.118179][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2329.124490][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2329.130776][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2329.137210][T23288] binder: send failed reply for transaction 1004 to 10190:10191 [ 2329.144962][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2329.159974][T10200] device sit0 left promiscuous mode [ 2329.180237][T10202] device sit0 entered promiscuous mode 17:25:38 executing program 0: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) fcntl$getownex(r0, 0x10, &(0x7f0000000100)) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$PERF_EVENT_IOC_RESET(r3, 0x2403, 0x20) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:38 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0xfffffffffffffffe, 0x0, 0xa0008000) 17:25:38 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000100)={0x6, [0x4c, 0x3, 0x100, 0x6, 0x9, 0x49]}) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:25:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0xfdfdffff, 0x0, 0x0}) 17:25:38 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$vfio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/vfio/vfio\x00', 0x100, 0x0) ioctl$TIOCLINUX5(r0, 0x541c, &(0x7f0000000200)={0x5, 0x7f, 0x60000000, 0x8, 0x7}) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x40) openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000140)='/dev/btrfs-control\x00', 0x2, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) removexattr(&(0x7f0000000100)='./file0\x00', &(0x7f0000000180)=@known='trusted.syz\x00') mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:25:38 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r1 = dup(0xffffffffffffffff) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r1, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2329.310323][T10229] binder: 10225:10229 Release 1 refcount change on invalid ref 0 ret -22 [ 2329.318848][T10229] binder: 10225:10229 ioctl c0306201 20000380 returned -14 [ 2329.418495][T10236] device sit0 left promiscuous mode [ 2329.518254][T10242] binder_alloc: binder_alloc_mmap_handler: 10225 20001000-20004000 already mapped failed -16 [ 2329.599633][T10229] binder: BINDER_SET_CONTEXT_MGR already set [ 2329.621410][T10239] device sit0 entered promiscuous mode [ 2329.657086][T10229] binder: 10225:10229 ioctl 40046207 0 returned -16 [ 2329.730363][T23288] binder: release 10225:10229 transaction 1018 out, still active [ 2329.760635][T23288] binder: unexpected work type, 4, not freed 17:25:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0xfffffdfd, 0x0, 0x0}) [ 2329.776210][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2329.793016][T23288] binder: send failed reply for transaction 1018, target dead 17:25:38 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) keyctl$session_to_parent(0x12) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:38 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2329.907813][T10249] binder: 10248:10249 Release 1 refcount change on invalid ref 0 ret -22 17:25:38 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000100)='/dev/admmidi#\x00', 0xc29c, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000c8c000/0x18000)=nil, 0x0, 0x0, 0x500180de7f0000, 0x0, 0x0) 17:25:38 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) ioctl$TCXONC(r2, 0x540a, 0xaee0) [ 2329.961064][T10249] binder: 10248:10249 ioctl c0306201 20000380 returned -14 [ 2330.074856][T25500] binder: release 10248:10257 transaction 1026 out, still active [ 2330.098688][T25500] binder: unexpected work type, 4, not freed [ 2330.129131][T10261] misc userio: Invalid payload size [ 2330.143511][T25500] binder: undelivered TRANSACTION_COMPLETE 17:25:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x100000000000000, 0x0, 0x0}) 17:25:39 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r1 = dup(0xffffffffffffffff) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r1, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2330.197558][T25500] binder: release 10248:10249 transaction 1023 out, still active [ 2330.286633][T25500] binder: unexpected work type, 4, not freed [ 2330.319757][T25500] binder: undelivered TRANSACTION_COMPLETE 17:25:39 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x0, 0x9}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x80, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) getsockopt$IP_VS_SO_GET_VERSION(r0, 0x0, 0x480, &(0x7f0000000100), &(0x7f0000000140)=0x40) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2330.362054][T25500] binder: send failed reply for transaction 1023, target dead [ 2330.378738][T10270] binder: 10267:10270 Release 1 refcount change on invalid ref 0 ret -22 [ 2330.398933][T25500] binder: send failed reply for transaction 1026, target dead [ 2330.438010][T10270] binder: 10267:10270 ioctl c0306201 20000380 returned -14 [ 2330.457333][T10253] device sit0 left promiscuous mode 17:25:39 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x60e47d157f0000) [ 2330.494491][T10275] binder_alloc: binder_alloc_mmap_handler: 10267 20001000-20004000 already mapped failed -16 17:25:39 executing program 0: openat$sequencer(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/sequencer\x00', 0x44000, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(r2, 0x84, 0x8, &(0x7f0000000140), &(0x7f0000000180)=0x4) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) openat$full(0xffffffffffffff9c, &(0x7f0000000100)='/dev/full\x00', 0x400002, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2330.539752][T10270] binder: BINDER_SET_CONTEXT_MGR already set [ 2330.583851][T10270] binder: 10267:10270 ioctl 40046207 0 returned -16 [ 2330.584345][T25500] binder: release 10267:10270 transaction 1030 out, still active [ 2330.621673][T25500] binder: unexpected work type, 4, not freed [ 2330.653786][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2330.679646][T25500] binder_release_work: 4 callbacks suppressed [ 2330.679653][T25500] binder: undelivered TRANSACTION_ERROR: 29189 17:25:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x200000000000000, 0x0, 0x0}) [ 2330.731744][T25500] binder: send failed reply for transaction 1030, target dead 17:25:39 executing program 4: r0 = syz_open_dev$swradio(&(0x7f0000000100)='/dev/swradio#\x00', 0x0, 0x2) ioctl$DRM_IOCTL_ADD_BUFS(r0, 0xc0206416, &(0x7f0000000140)={0xff, 0x1f, 0xcce5, 0x1, 0x4, 0x10000}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(r0, 0x84, 0x6d, &(0x7f0000000180)={0x0, 0x54, "3920a33d88e5bdbe76c3fea5e2ba36b2583306124570d91718a36f440433ad9517790c2c19a68057d522a9da873d6db33536e8617bb5171e11c60c725112f3a16eb0b9d87cfde6c8f0b904bdf48066a96e66bfe3"}, &(0x7f0000000200)=0x5c) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r1, 0x84, 0x1a, &(0x7f0000000240)={r3, 0x55, "d227bd4325f883d9c26d67bfa25b839d9ba5a61e4c83d657ce6d4a838af13611e4ec2110010731cdf0745dce59470603c287bb395da82e5d4223c8d1c605bf34a7e552e05f2a48a9f8477e837050309d6621a881c9"}, &(0x7f00000002c0)=0x5d) r4 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r5 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r6 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r5, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) prctl$PR_MPX_DISABLE_MANAGEMENT(0x2c) write$capi20(r4, &(0x7f0000000300)={0x10, 0x1809, 0x0, 0x81, 0x8, 0x3}, 0x10) [ 2330.867885][T10286] binder: 10285:10286 Release 1 refcount change on invalid ref 0 ret -22 [ 2330.900076][T10286] binder: 10285:10286 ioctl c0306201 20000380 returned -14 17:25:39 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) ioctl$TCXONC(r2, 0x540a, 0xaee0) [ 2330.932830][T10289] binder_alloc: binder_alloc_mmap_handler: 10285 20001000-20004000 already mapped failed -16 [ 2330.996784][T10286] binder: BINDER_SET_CONTEXT_MGR already set [ 2331.028849][T10261] device sit0 entered promiscuous mode [ 2331.073445][T10292] binder: 10285:10292 ioctl c0306201 20000380 returned -14 [ 2331.083845][T10286] binder: 10285:10286 ioctl 40046207 0 returned -16 [ 2331.113761][T10269] device sit0 left promiscuous mode [ 2331.122675][T23288] binder: release 10285:10286 transaction 1035 out, still active 17:25:39 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2331.166379][T23288] binder: unexpected work type, 4, not freed [ 2331.182116][T10272] device sit0 entered promiscuous mode [ 2331.189007][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2331.200985][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x300000000000000, 0x0, 0x0}) [ 2331.231682][T23288] binder: send failed reply for transaction 1035, target dead 17:25:40 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x2, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000100)=0x17) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:40 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2331.356908][T10300] device sit0 left promiscuous mode [ 2331.374014][T10302] binder_thread_write: 1 callbacks suppressed [ 2331.374038][T10302] binder: 10298:10302 Release 1 refcount change on invalid ref 0 ret -22 [ 2331.423836][T10302] binder: 10298:10302 ioctl c0306201 20000380 returned -14 [ 2331.491299][T10307] binder_alloc: binder_alloc_mmap_handler: 10298 20001000-20004000 already mapped failed -16 [ 2331.505721][T10305] misc userio: Invalid payload size [ 2331.548292][T10302] binder: BINDER_SET_CONTEXT_MGR already set [ 2331.581232][T10302] binder: 10298:10302 ioctl 40046207 0 returned -16 17:25:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x400000000000000, 0x0, 0x0}) [ 2331.836985][T10313] binder: BINDER_SET_CONTEXT_MGR already set [ 2331.874660][T10313] binder: 10312:10313 ioctl 40046207 0 returned -16 [ 2331.906368][T10314] binder_alloc_new_buf_locked: 4 callbacks suppressed [ 2331.906376][T10314] binder_alloc: 10298: binder_alloc_buf, no vma [ 2331.919980][T10314] binder_transaction: 4 callbacks suppressed [ 2331.920011][T10314] binder: 10312:10314 transaction failed 29189/-3, size 24-8 line 3147 [ 2331.922949][T10305] device sit0 entered promiscuous mode 17:25:40 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2331.985136][T10313] binder: 10312:10313 Release 1 refcount change on invalid ref 0 ret -22 [ 2332.007672][T10313] binder: 10312:10313 ioctl c0306201 20000380 returned -14 [ 2332.055121][T10314] binder_alloc: binder_alloc_mmap_handler: 10312 20001000-20004000 already mapped failed -16 [ 2332.130714][T10313] binder: BINDER_SET_CONTEXT_MGR already set [ 2332.143841][T10313] binder: 10312:10313 ioctl 40046207 0 returned -16 [ 2332.167268][T10314] binder_alloc: 10298: binder_alloc_buf, no vma [ 2332.204995][T10314] binder: 10312:10314 transaction failed 29189/-3, size 24-8 line 3147 17:25:41 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x900000000000000, 0x0, 0xa0008000) 17:25:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x500000000000000, 0x0, 0x0}) [ 2332.344502][T10320] binder: BINDER_SET_CONTEXT_MGR already set [ 2332.375594][T10320] binder: 10319:10320 ioctl 40046207 0 returned -16 [ 2332.430095][T10323] binder_alloc: 10298: binder_alloc_buf, no vma [ 2332.436402][T10323] binder: 10319:10323 transaction failed 29189/-3, size 24-8 line 3147 [ 2332.470677][T10320] binder: 10319:10320 Release 1 refcount change on invalid ref 0 ret -22 [ 2332.515355][T10320] binder: 10319:10320 ioctl c0306201 20000380 returned -14 [ 2332.585882][T10323] binder_alloc: binder_alloc_mmap_handler: 10319 20001000-20004000 already mapped failed -16 [ 2332.617765][T10320] binder: BINDER_SET_CONTEXT_MGR already set [ 2332.632463][T10320] binder: 10319:10320 ioctl 40046207 0 returned -16 [ 2332.646248][T10325] binder_alloc: 10298: binder_alloc_buf, no vma [ 2332.665878][T10325] binder: 10319:10325 transaction failed 29189/-3, size 24-8 line 3147 [ 2332.705877][T10320] binder: 10319:10320 Release 1 refcount change on invalid ref 0 ret -22 [ 2332.738170][T10320] binder: 10319:10320 ioctl c0306201 20000380 returned -14 17:25:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x600000000000000, 0x0, 0x0}) [ 2332.898047][T10327] binder: BINDER_SET_CONTEXT_MGR already set [ 2332.913443][T10327] binder: 10326:10327 ioctl 40046207 0 returned -16 [ 2332.936716][T10327] binder_alloc: 10298: binder_alloc_buf, no vma [ 2332.953581][T10327] binder: 10326:10327 transaction failed 29189/-3, size 24-8 line 3147 [ 2332.976879][T10327] binder: 10326:10327 Release 1 refcount change on invalid ref 0 ret -22 [ 2332.999976][T10327] binder: 10326:10327 ioctl c0306201 20000380 returned -14 [ 2333.017977][T10328] binder_alloc: binder_alloc_mmap_handler: 10326 20001000-20004000 already mapped failed -16 [ 2333.080047][T10327] binder: BINDER_SET_CONTEXT_MGR already set [ 2333.088841][T10328] binder_alloc: 10298: binder_alloc_buf, no vma [ 2333.104652][T10327] binder: 10326:10327 ioctl 40046207 0 returned -16 [ 2333.134870][T10328] binder: 10326:10328 transaction failed 29189/-3, size 24-8 line 3147 17:25:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x700000000000000, 0x0, 0x0}) [ 2333.240964][T10331] binder: BINDER_SET_CONTEXT_MGR already set [ 2333.263888][T10331] binder: 10330:10331 ioctl 40046207 0 returned -16 [ 2333.287524][T10332] binder_alloc: 10298: binder_alloc_buf, no vma [ 2333.305156][T10332] binder: 10330:10332 transaction failed 29189/-3, size 24-8 line 3147 [ 2333.334367][T10331] binder: 10330:10331 Release 1 refcount change on invalid ref 0 ret -22 [ 2333.370046][T10331] binder: 10330:10331 ioctl c0306201 20000380 returned -14 [ 2333.384302][T10332] binder_alloc: binder_alloc_mmap_handler: 10330 20001000-20004000 already mapped failed -16 [ 2333.407014][T10332] binder: BINDER_SET_CONTEXT_MGR already set [ 2333.423827][T10333] binder_alloc: 10298: binder_alloc_buf, no vma [ 2333.441478][T10332] binder: 10330:10332 ioctl 40046207 0 returned -16 [ 2333.458311][T10333] binder: 10330:10333 transaction failed 29189/-3, size 24-8 line 3147 [ 2333.940031][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2333.946391][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2333.954351][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2333.961049][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2333.967380][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2333.974175][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2333.980925][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2333.987245][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2333.994053][T25500] binder: send failed reply for transaction 1040 to 10298:10302 [ 2334.002234][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2334.008302][T10316] device sit0 left promiscuous mode [ 2334.028793][T10317] device sit0 entered promiscuous mode 17:25:42 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r0, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$KVM_SET_IDENTITY_MAP_ADDR(r0, 0x4008ae48, &(0x7f00000000c0)=0x4000) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$PERF_EVENT_IOC_ID(r1, 0x80082407, &(0x7f0000000100)) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r2 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:25:42 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x300000000000000, 0x0, 0xa0008000) 17:25:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0xa00000000000000, 0x0, 0x0}) 17:25:42 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:42 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000100)='/proc/capi/capi20ncci\x00', 0x0, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000140)={0x1, 'veth1_to_hsr\x00'}, 0x18) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r3 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) ioctl$VIDIOC_ENUMAUDIO(r3, 0xc0345641, &(0x7f0000000180)={0x101, "3292126f18d5e85c3226cea9c236c9f34acb7d3d938807f0a4c190b02bab439c", 0x3, 0x1}) pipe(&(0x7f00000001c0)) r5 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:42 executing program 1: r0 = syz_open_dev$swradio(&(0x7f0000000100)='/dev/swradio#\x00', 0x0, 0x2) ioctl$DRM_IOCTL_ADD_BUFS(r0, 0xc0206416, &(0x7f0000000140)={0xff, 0x1f, 0xcce5, 0x1, 0x4, 0x10000}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(r0, 0x84, 0x6d, &(0x7f0000000180)={0x0, 0x54, "3920a33d88e5bdbe76c3fea5e2ba36b2583306124570d91718a36f440433ad9517790c2c19a68057d522a9da873d6db33536e8617bb5171e11c60c725112f3a16eb0b9d87cfde6c8f0b904bdf48066a96e66bfe3"}, &(0x7f0000000200)=0x5c) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r1, 0x84, 0x1a, &(0x7f0000000240)={r3, 0x55, "d227bd4325f883d9c26d67bfa25b839d9ba5a61e4c83d657ce6d4a838af13611e4ec2110010731cdf0745dce59470603c287bb395da82e5d4223c8d1c605bf34a7e552e05f2a48a9f8477e837050309d6621a881c9"}, &(0x7f00000002c0)=0x5d) r4 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r5 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r6 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r5, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) prctl$PR_MPX_DISABLE_MANAGEMENT(0x2c) write$capi20(r4, &(0x7f0000000300)={0x10, 0x1809, 0x0, 0x81, 0x8, 0x3}, 0x10) [ 2334.229352][T10341] binder: 10337:10341 Release 1 refcount change on invalid ref 0 ret -22 [ 2334.238126][T10336] device sit0 left promiscuous mode [ 2334.305765][T10341] binder: 10337:10341 ioctl c0306201 20000380 returned -14 [ 2334.377063][T10349] binder_alloc: binder_alloc_mmap_handler: 10337 20001000-20004000 already mapped failed -16 [ 2334.389594][T10345] device sit0 entered promiscuous mode [ 2334.483227][T10341] binder: BINDER_SET_CONTEXT_MGR already set [ 2334.517354][T10341] binder: 10337:10341 ioctl 40046207 0 returned -16 [ 2334.567125][T10354] binder_alloc: 10337: binder_alloc_buf, no vma [ 2334.611886][T10354] binder: 10337:10354 transaction failed 29189/-3, size 24-8 line 3147 17:25:43 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) accept4$unix(r2, &(0x7f0000000100)=@abs, &(0x7f0000000180)=0x6e, 0x800) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2334.662494][T10341] binder: 10337:10341 Release 1 refcount change on invalid ref 0 ret -22 17:25:43 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x300000000000000, 0x0, 0xa0008000) 17:25:43 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2334.718917][T10341] binder: 10337:10341 ioctl c0306201 20000380 returned -14 [ 2334.727786][T23288] binder: send failed reply for transaction 1053 to 10337:10341 [ 2334.776809][T23288] binder: undelivered TRANSACTION_COMPLETE 17:25:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x2000000000000000, 0x0, 0x0}) [ 2334.874322][T10361] device sit0 left promiscuous mode 17:25:43 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x0, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000180)) r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2334.911224][T10363] binder: 10362:10363 Release 1 refcount change on invalid ref 0 ret -22 17:25:43 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x0, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2335.019562][T10363] binder: 10362:10363 ioctl c0306201 20000380 returned -14 [ 2335.034201][T10365] misc userio: Invalid payload size [ 2335.064215][T10373] binder_alloc: binder_alloc_mmap_handler: 10362 20001000-20004000 already mapped failed -16 [ 2335.138287][T10363] binder: BINDER_SET_CONTEXT_MGR already set [ 2335.176392][T10363] binder: 10362:10363 ioctl 40046207 0 returned -16 [ 2335.205534][T10376] binder: 10362:10376 Release 1 refcount change on invalid ref 0 ret -22 [ 2335.205793][T25500] binder: release 10362:10363 transaction 1058 out, still active [ 2335.223611][T10373] binder_alloc: 10362: binder_alloc_buf, no vma [ 2335.270292][T25500] binder: unexpected work type, 4, not freed [ 2335.276438][T10373] binder: 10362:10373 transaction failed 29189/-3, size 24-8 line 3147 17:25:44 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x1) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) r5 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000140)='TIPCv2\x00') sendmsg$TIPC_NL_BEARER_ADD(r2, &(0x7f0000000440)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x2000001}, 0xc, &(0x7f0000000400)={&(0x7f0000000180)={0x248, r5, 0x200, 0x70bd2a, 0x25dfdbff, {}, [@TIPC_NLA_SOCK={0x30, 0x2, [@TIPC_NLA_SOCK_REF={0x8}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x5}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x2}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8}]}, @TIPC_NLA_MEDIA={0x28, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}, @TIPC_NLA_PROP_WIN={0x8}]}]}, @TIPC_NLA_NET={0x28, 0x7, [@TIPC_NLA_NET_ADDR={0x8, 0x2, 0x40}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x6}, @TIPC_NLA_NET_ID={0x8}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x9}]}, @TIPC_NLA_NODE={0xc, 0x6, [@TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x1000}]}, @TIPC_NLA_MEDIA={0x50, 0x5, [@TIPC_NLA_MEDIA_PROP={0x2c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_PRIO={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x1}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6a}]}, @TIPC_NLA_MEDIA_PROP={0xc, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}]}, @TIPC_NLA_MEDIA_PROP={0x14, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0xeb}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4}]}]}, @TIPC_NLA_MON={0xc, 0x9, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x8001}]}, @TIPC_NLA_BEARER={0x20, 0x1, [@TIPC_NLA_BEARER_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x5}, @TIPC_NLA_PROP_MTU={0x8}]}]}, @TIPC_NLA_NET={0xc, 0x7, [@TIPC_NLA_NET_ADDR={0x8, 0x2, 0x9}]}, @TIPC_NLA_LINK={0x120, 0x4, [@TIPC_NLA_LINK_PROP={0x54, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3ff}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3a0}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x1cd9}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xff}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffffffffffffa}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfff}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x3c, 0x7, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x10000}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9e}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7fff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1b}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100000001}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xfffffffffffffff8}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x34, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xff}, @TIPC_NLA_PROP_WIN={0x8}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x100000000}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x80}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1f}]}, @TIPC_NLA_LINK_PROP={0xc, 0x7, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x43}]}]}]}, 0x248}, 0x1, 0x0, 0x0, 0x20000810}, 0x40800) 17:25:44 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2335.310879][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2335.321270][T10376] binder: 10362:10376 ioctl c0306201 20000380 returned -14 [ 2335.334060][T25500] binder: send failed reply for transaction 1058, target dead 17:25:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x3f00000000000000, 0x0, 0x0}) [ 2335.511586][T10383] binder: 10382:10383 ioctl c0306201 20000380 returned -14 [ 2335.543814][T10371] device sit0 left promiscuous mode [ 2335.583399][T10388] binder_alloc: binder_alloc_mmap_handler: 10382 20001000-20004000 already mapped failed -16 [ 2335.605413][T10374] device sit0 entered promiscuous mode [ 2335.637927][T10383] binder: BINDER_SET_CONTEXT_MGR already set [ 2335.676088][T10383] binder: 10382:10383 ioctl 40046207 0 returned -16 17:25:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x4800000000000000, 0x0, 0x0}) [ 2335.836771][T10365] device sit0 entered promiscuous mode [ 2335.845610][T10393] binder: BINDER_SET_CONTEXT_MGR already set [ 2335.869111][T10393] binder: 10392:10393 ioctl 40046207 0 returned -16 17:25:44 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x0, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:44 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2335.897913][T10393] binder: 10392:10393 ioctl c0306201 20000380 returned -14 [ 2335.937113][T10394] binder_alloc: binder_alloc_mmap_handler: 10392 20001000-20004000 already mapped failed -16 [ 2335.985657][T10393] binder: BINDER_SET_CONTEXT_MGR already set [ 2336.008458][T10393] binder: 10392:10393 ioctl 40046207 0 returned -16 [ 2336.054587][T10401] misc userio: Invalid payload size 17:25:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x4c00000000000000, 0x0, 0x0}) [ 2336.155339][T10403] binder: BINDER_SET_CONTEXT_MGR already set [ 2336.179287][T10403] binder: 10402:10403 ioctl 40046207 0 returned -16 [ 2336.201876][T10404] binder: 10402:10404 ioctl c0306201 20000380 returned -14 [ 2336.224524][T10404] binder_alloc: binder_alloc_mmap_handler: 10402 20001000-20004000 already mapped failed -16 17:25:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6000000000000000, 0x0, 0x0}) [ 2336.255896][T10403] binder: BINDER_SET_CONTEXT_MGR already set [ 2336.287285][T10403] binder: 10402:10403 ioctl 40046207 0 returned -16 [ 2336.371733][T10406] binder: BINDER_SET_CONTEXT_MGR already set [ 2336.390029][T10406] binder: 10405:10406 ioctl 40046207 0 returned -16 [ 2336.401037][T10406] binder_thread_write: 3 callbacks suppressed [ 2336.401052][T10406] binder: 10405:10406 Release 1 refcount change on invalid ref 0 ret -22 [ 2336.438991][T10406] binder: 10405:10406 ioctl c0306201 20000380 returned -14 [ 2336.462587][T10406] binder: BINDER_SET_CONTEXT_MGR already set [ 2336.478465][T10406] binder: 10405:10406 ioctl 40046207 0 returned -16 17:25:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6800000000000000, 0x0, 0x0}) [ 2336.604399][T10409] binder: BINDER_SET_CONTEXT_MGR already set [ 2336.635769][T10409] binder: 10408:10409 ioctl 40046207 0 returned -16 [ 2336.650544][T10410] binder: 10408:10410 Release 1 refcount change on invalid ref 0 ret -22 [ 2336.671141][T10410] binder: 10408:10410 ioctl c0306201 20000380 returned -14 [ 2336.697245][T10410] binder_alloc_mmap_handler: 1 callbacks suppressed [ 2336.697261][T10410] binder_alloc: binder_alloc_mmap_handler: 10408 20001000-20004000 already mapped failed -16 17:25:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x6c00000000000000, 0x0, 0x0}) [ 2336.839426][T10412] binder: BINDER_SET_CONTEXT_MGR already set [ 2336.866156][T10412] binder: 10411:10412 ioctl 40046207 0 returned -16 [ 2336.881206][T10412] binder: 10411:10412 Release 1 refcount change on invalid ref 0 ret -22 [ 2336.894565][T10412] binder: 10411:10412 ioctl c0306201 20000380 returned -14 [ 2336.904878][T10413] binder_alloc: binder_alloc_mmap_handler: 10411 20001000-20004000 already mapped failed -16 [ 2336.915469][T10412] binder: BINDER_SET_CONTEXT_MGR already set [ 2336.921862][T10412] binder: 10411:10412 ioctl 40046207 0 returned -16 [ 2336.928783][T10413] binder_alloc_new_buf_locked: 10 callbacks suppressed [ 2336.928791][T10413] binder_alloc: 10382: binder_alloc_buf, no vma [ 2336.943513][T10413] binder_transaction: 10 callbacks suppressed [ 2336.943538][T10413] binder: 10411:10413 transaction failed 29189/-3, size 24-8 line 3147 [ 2337.921335][T25500] binder_release_work: 5 callbacks suppressed [ 2337.921344][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2337.934347][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2337.941114][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2337.947529][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2337.955473][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2337.962263][T25500] binder: undelivered TRANSACTION_ERROR: 29189 17:25:46 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) fadvise64(r2, 0x0, 0x9, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) setsockopt$RDS_CANCEL_SENT_TO(r2, 0x114, 0x1, &(0x7f0000000100)={0x2, 0x4e24, @empty}, 0x10) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x7400000000000000, 0x0, 0x0}) [ 2337.968703][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2337.975474][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2337.982270][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2337.988687][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2337.995537][T25500] binder: send failed reply for transaction 1063 to 10382:10383 [ 2338.003776][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2338.010333][T10381] device sit0 left promiscuous mode [ 2338.064196][T10416] binder: 10415:10416 Release 1 refcount change on invalid ref 0 ret -22 [ 2338.094867][T10416] binder: 10415:10416 ioctl c0306201 20000380 returned -14 [ 2338.119421][T10418] binder_alloc: binder_alloc_mmap_handler: 10415 20001000-20004000 already mapped failed -16 17:25:46 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r2, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) getsockopt$ARPT_SO_GET_INFO(r2, 0x0, 0x60, &(0x7f0000000140)={'filter\x00'}, &(0x7f00000001c0)=0x44) bind$bt_rfcomm(r2, &(0x7f0000000240)={0x1f, {0x80, 0x4, 0x1, 0x101, 0x0, 0x2}, 0x3}, 0xa) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) setsockopt$netrom_NETROM_N2(r3, 0x103, 0x3, &(0x7f0000000200)=0x4, 0x4) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$FS_IOC_FSGETXATTR(r1, 0x801c581f, &(0x7f0000000100)={0x10000, 0x5, 0xfc8, 0x4, 0x80000001}) [ 2338.164862][T10416] binder: BINDER_SET_CONTEXT_MGR already set [ 2338.206088][T10416] binder: 10415:10416 ioctl 40046207 0 returned -16 [ 2338.206779][T10420] binder_alloc: 10415: binder_alloc_buf, no vma [ 2338.308611][T10418] binder: 10415:10418 Release 1 refcount change on invalid ref 0 ret -22 [ 2338.341675][T10418] binder: 10415:10418 ioctl c0306201 20000380 returned -14 [ 2338.346793][T10420] binder: 10415:10420 transaction failed 29189/-3, size 24-8 line 3147 [ 2338.357265][T23288] binder: send failed reply for transaction 1078 to 10415:10416 [ 2338.376612][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2338.452012][T10387] device sit0 entered promiscuous mode [ 2338.528417][T10396] device sit0 left promiscuous mode 17:25:47 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:47 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$KVM_GET_LAPIC(r2, 0x8400ae8e, &(0x7f0000000100)={"5384b6ca40da783a853f6794c3041e0938160698f3ccc5561cc8ccef37e303d0309ee571e34e59d4316871f2a4fe09513c5d86ccf2254fca4fa49756450d3ac2304402195543a88004f597e399c987711bf01e07687e9412e3cb8b9884338d7423666038eaeaf05b4dcdda2fc1038a2909d226006a1db866243266c7f0598922a99eae61905e2b78a78b52b02e59b95e0c3b3e0e1472baf8f49034dc54a4f56fa5158899111e5a1b4db6d0f0bead31946da68b39adaa313a4fdd7026ad72988073fa3894531ae4bd1006bd351b9649eb5a432c5d896348ca6f59a4881ae73064184b99237d4334e4f6b85f0fd5a673f6d5d0fe7f7cdcba8e28877cf6ac2d4020337d405d72652e24c24943f49b141f0dba913b7a054f16f0e7744c036349abb2eed0ac3ac22222f1928c40ba1b3c3b7af4c8f1dce356adb048882e3275665e82124c54d2a5c7f7f29e33412d8f2f360752c76d25567062a7bfb8e8ef3678d9c859ad8f1c63eb64c46d2f6c3e97eb50a2e9d48079dd4fb28580cfc4e38aec91ad08db98a2a086e3fccf6dea9164072f85e712be47a3c924f9ad6f5002483f2b2c14a1b7a3a1efd5639de57ac62245c0748b2d92ca487c518613dbfcea17b20d93c1633ed0d42c214ca048f1f6918b4613a263d66b26668afc93f963ef5bea400b222437762806a1dc52764a4949ab975b105ce81400a3f4e7720afcb47f1e08ccfa3d85610a545f75b0024795749fdf4c832da05f194ab5162ec34b0542237cdaf9704a0c275473ed15b2ecc501389b685b74e8d94c74d8add73b416e8ccaf8b1e72003de550a49a154861aae5d489f6d5450f1a9716bbe4550d26c0c1286dd898b0892ae00ceabe8e7264cabf4558212de604582e82842818d391fa3219bbc8140ce4563c83623e4eef1c268e1943ecd0b8fa88bc8f05033a166c4309e9ec95fc9e92b138b4b4a29ee4553e9cbcfb1461d32a920223601b82f297dfefab0bae3dbeb657cb439d79e53ed0abeeea1dc1766e763a8ed8c93467e070fe2501aaef0b150c566ca52df3188e6a9914815494d4660334be9e3ff956d87539eee3f1a3d7098f5f9325abe429e42faba61b1b375738576330b3b8eae522029f5070d1f5246bcc1f379fd08c51debf8679b8b0fd71e25cdd36f701fe347ba3a07ac329db4b3f498661d8159cf65374a161500c1cd81e6a080bb10987129d07dc7dc9e69d2eb95ae640ea090818f94c607213193981ac78397fd16be925c332ab0f5a00771e28b9a07a50a19d40dcef43ae05c15b04a31ab29ba76e76b6d1c2437cf4016511a5f614d52bfe2ef66e2945360d4a61c27360f8184eef209e2d7358962a5980bf4ac4e0c0c86fb6ee89b6715ea4a52a4b85b6542cb67be586e17d194aa7f4fe5f3ff8a042fd18962b4699873e97f9f950270976830ef4c8da1d9e8f1d173415d"}) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x7a00000000000000, 0x0, 0x0}) [ 2338.572313][T10398] device sit0 left promiscuous mode [ 2338.625566][T10429] binder: 10428:10429 Release 1 refcount change on invalid ref 0 ret -22 [ 2338.659374][T10429] binder: 10428:10429 ioctl c0306201 20000380 returned -14 [ 2338.684756][T10432] binder_alloc: binder_alloc_mmap_handler: 10428 20001000-20004000 already mapped failed -16 [ 2338.738930][T10429] binder: BINDER_SET_CONTEXT_MGR already set [ 2338.760757][T10429] binder: 10428:10429 ioctl 40046207 0 returned -16 [ 2338.787272][T10436] binder_alloc: 10428: binder_alloc_buf, no vma [ 2338.810052][T10432] binder: 10428:10432 Release 1 refcount change on invalid ref 0 ret -22 [ 2338.829937][T25500] binder: release 10428:10429 transaction 1083 out, still active [ 2338.838392][T10436] binder: 10428:10436 transaction failed 29189/-3, size 24-8 line 3147 [ 2338.850533][T25500] binder: unexpected work type, 4, not freed [ 2338.863559][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2338.872539][T10432] binder: 10428:10432 ioctl c0306201 20000380 returned -14 [ 2338.885602][T25500] binder: send failed reply for transaction 1083, target dead [ 2338.896261][T10400] device sit0 entered promiscuous mode [ 2338.951824][T10401] device sit0 entered promiscuous mode 17:25:47 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x0, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:47 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:47 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet_smc(0x2b, 0x1, 0x0) r1 = syz_open_dev$swradio(&(0x7f0000000040)='/dev/swradio#\x00', 0x0, 0x2) setsockopt$packet_rx_ring(r1, 0x107, 0x5, &(0x7f0000000080)=@req={0xffffffffffffffff, 0x3f, 0x1, 0x8}, 0x10) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000140)) bind(r0, &(0x7f0000000140)=@nl=@unspec, 0x80) r2 = syz_open_dev$admmidi(&(0x7f0000000280)='/dev/admmidi#\x00', 0x42, 0x10000) ioctl$DRM_IOCTL_GEM_OPEN(r2, 0xc010640b, 0x0) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r4 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r4, 0x84, 0xd, 0x0, 0x0) r5 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r2, 0x5401, &(0x7f0000000100)) r6 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r5, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) write$binfmt_misc(r6, &(0x7f00000002c0)=ANY=[@ANYBLOB="73797a31691bae2de40a3cab8e3a6cbfa23d7999b83958a75eedccec3701219964c1838c1f479ad556b243a5cadd0252aea286179a05b522443c61ee373e5105e3f3694c8517676ef57a91ab1c855c3b67cb34b62dd293ba83ce41e0893e92c17171d5261cb6f1b6e7e2855710eab3630839af00fb21d389afacaa85de672329a4"], 0x76) 17:25:47 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0xfdfdffff00000000, 0x0, 0x0}) [ 2339.102890][T10441] binder: 10440:10441 Release 1 refcount change on invalid ref 0 ret -22 [ 2339.170307][T10441] binder: 10440:10441 ioctl c0306201 20000380 returned -14 [ 2339.243377][T10451] binder_alloc: binder_alloc_mmap_handler: 10440 20001000-20004000 already mapped failed -16 [ 2339.254192][T10450] misc userio: Invalid payload size [ 2339.263615][T10431] device sit0 left promiscuous mode [ 2339.321174][T10451] binder_alloc: 10440: binder_alloc_buf, no vma [ 2339.327477][T10451] binder: 10440:10451 transaction failed 29189/-3, size 24-8 line 3147 [ 2339.337286][T10453] binder: BINDER_SET_CONTEXT_MGR already set [ 2339.393759][T10453] binder: 10440:10453 ioctl 40046207 0 returned -16 [ 2339.458215][T10441] binder: 10440:10441 Release 1 refcount change on invalid ref 0 ret -22 [ 2339.497364][T25500] binder: release 10440:10441 transaction 1088 out, still active [ 2339.505968][T10441] binder: 10440:10441 ioctl c0306201 20000380 returned -14 [ 2339.517971][T25500] binder: unexpected work type, 4, not freed [ 2339.538001][T25500] binder: undelivered TRANSACTION_COMPLETE 17:25:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x2, 0x0}) [ 2339.556818][T25500] binder: send failed reply for transaction 1088, target dead [ 2339.623866][T10457] binder: 10456:10457 Release 1 refcount change on invalid ref 0 ret -22 [ 2339.665069][T10458] binder_alloc: binder_alloc_mmap_handler: 10456 20001000-20004000 already mapped failed -16 [ 2339.688630][T10434] device sit0 entered promiscuous mode [ 2339.696800][T10457] binder: BINDER_SET_CONTEXT_MGR already set [ 2339.736380][T10457] binder: 10456:10457 ioctl 40046207 0 returned -16 [ 2339.752486][T10459] binder_alloc: 10456: binder_alloc_buf, no vma [ 2339.778869][T10459] binder: 10456:10459 transaction failed 29189/-3, size 24-8 line 3147 17:25:48 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x3, 0x0}) [ 2339.944386][T10463] binder: BINDER_SET_CONTEXT_MGR already set [ 2339.972891][T10463] binder: 10462:10463 ioctl 40046207 0 returned -16 [ 2339.999089][T10465] binder_alloc: 10456: binder_alloc_buf, no vma [ 2340.013812][T10465] binder: 10462:10465 transaction failed 29189/-3, size 24-8 line 3147 [ 2340.039832][T10463] binder_alloc: binder_alloc_mmap_handler: 10462 20001000-20004000 already mapped failed -16 [ 2340.064650][T10465] binder_alloc: 10456: binder_alloc_buf, no vma [ 2340.080955][T10463] binder: BINDER_SET_CONTEXT_MGR already set [ 2340.096617][T10465] binder: 10462:10465 transaction failed 29189/-3, size 24-8 line 3147 [ 2340.117680][T10463] binder: 10462:10463 ioctl 40046207 0 returned -16 17:25:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x4, 0x0}) [ 2340.255493][T10468] binder: BINDER_SET_CONTEXT_MGR already set [ 2340.277205][T10468] binder: 10467:10468 ioctl 40046207 0 returned -16 [ 2340.304922][T10468] binder_alloc: 10456: binder_alloc_buf, no vma [ 2340.326807][T10468] binder: 10467:10468 transaction failed 29189/-3, size 24-8 line 3147 [ 2340.359231][T10469] binder_alloc: binder_alloc_mmap_handler: 10467 20001000-20004000 already mapped failed -16 [ 2340.400930][T10469] binder: BINDER_SET_CONTEXT_MGR already set [ 2340.418720][T10469] binder: 10467:10469 ioctl 40046207 0 returned -16 [ 2340.425323][T10470] binder_alloc: 10456: binder_alloc_buf, no vma [ 2340.425364][T10470] binder: 10467:10470 transaction failed 29189/-3, size 24-8 line 3147 17:25:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x5, 0x0}) [ 2340.574142][T10438] device sit0 left promiscuous mode [ 2340.608583][T10447] device sit0 entered promiscuous mode [ 2340.619289][T10472] binder: BINDER_SET_CONTEXT_MGR already set [ 2340.647183][T10472] binder: 10471:10472 ioctl 40046207 0 returned -16 17:25:49 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2340.685693][T10473] binder_alloc: 10456: binder_alloc_buf, no vma [ 2340.714957][T10473] binder: 10471:10473 transaction failed 29189/-3, size 24-8 line 3147 [ 2340.747703][T10473] binder_alloc: binder_alloc_mmap_handler: 10471 20001000-20004000 already mapped failed -16 [ 2340.771330][T10472] binder: BINDER_SET_CONTEXT_MGR already set [ 2340.788120][T10472] binder: 10471:10472 ioctl 40046207 0 returned -16 17:25:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x6, 0x0}) [ 2340.902723][T10478] binder: BINDER_SET_CONTEXT_MGR already set [ 2340.908744][T10478] binder: 10477:10478 ioctl 40046207 0 returned -16 [ 2340.949002][T10479] binder_alloc: binder_alloc_mmap_handler: 10477 20001000-20004000 already mapped failed -16 [ 2340.977959][T10478] binder: BINDER_SET_CONTEXT_MGR already set [ 2340.998648][T10478] binder: 10477:10478 ioctl 40046207 0 returned -16 17:25:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x7, 0x0}) [ 2341.116304][T10482] binder: BINDER_SET_CONTEXT_MGR already set [ 2341.134163][T10482] binder: 10481:10482 ioctl 40046207 0 returned -16 [ 2341.733031][T23288] binder: send failed reply for transaction 1093 to 10456:10457 [ 2341.741034][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2341.747191][T10446] device sit0 left promiscuous mode [ 2341.916267][T10450] device sit0 entered promiscuous mode [ 2341.973118][T10461] device sit0 left promiscuous mode 17:25:50 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r2, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) getsockopt$ARPT_SO_GET_INFO(r2, 0x0, 0x60, &(0x7f0000000140)={'filter\x00'}, &(0x7f00000001c0)=0x44) bind$bt_rfcomm(r2, &(0x7f0000000240)={0x1f, {0x80, 0x4, 0x1, 0x101, 0x0, 0x2}, 0x3}, 0xa) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) setsockopt$netrom_NETROM_N2(r3, 0x103, 0x3, &(0x7f0000000200)=0x4, 0x4) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$FS_IOC_FSGETXATTR(r1, 0x801c581f, &(0x7f0000000100)={0x10000, 0x5, 0xfc8, 0x4, 0x80000001}) 17:25:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0xa, 0x0}) 17:25:50 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x40000, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) setsockopt$TIPC_GROUP_LEAVE(r0, 0x10f, 0x88) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000100)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f000037f000/0x1000)=nil, 0x1000, 0x0, 0x5c83e, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:25:50 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) getsockopt$inet_sctp_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000100)={0x0, 0x800}, &(0x7f0000000140)=0x8) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(r3, 0x84, 0x70, &(0x7f0000000180)={r4, @in={{0x2, 0x4e21, @multicast2}}, [0x80000001, 0x5, 0xc0b2, 0x2, 0x2, 0x0, 0x2, 0x8, 0x4, 0x46, 0x10001, 0xfffffffffffffffc, 0x0, 0x40, 0x7f]}, &(0x7f0000000280)=0x100) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2342.094045][T10487] binder_thread_write: 5 callbacks suppressed [ 2342.094061][T10487] binder: 10486:10487 Release 1 refcount change on invalid ref 0 ret -22 [ 2342.159208][T10492] binder_alloc_mmap_handler: 1 callbacks suppressed [ 2342.159227][T10492] binder_alloc: binder_alloc_mmap_handler: 10486 20001000-20004000 already mapped failed -16 [ 2342.190758][T10487] binder: BINDER_SET_CONTEXT_MGR already set [ 2342.239256][T10487] binder: 10486:10487 ioctl 40046207 0 returned -16 [ 2342.402844][T10498] binder_alloc_new_buf_locked: 5 callbacks suppressed [ 2342.402854][T10498] binder_alloc: 10486: binder_alloc_buf, no vma [ 2342.455111][T25500] binder: send failed reply for transaction 1108 to 10486:10487 [ 2342.470037][T10498] binder_transaction: 5 callbacks suppressed [ 2342.470056][T10498] binder: 10486:10498 transaction failed 29189/-3, size 24-8 line 3147 [ 2342.494277][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2342.502338][T10464] device sit0 entered promiscuous mode 17:25:51 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc296, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x240, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000140)='/dev/dsp\x00', 0x1a5040, 0x0) openat$zero(0xffffffffffffff9c, &(0x7f0000000100)='/dev/zero\x00', 0x400, 0x0) 17:25:51 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x0, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000180)) r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x48, 0x0}) [ 2342.713217][T10503] binder: 10502:10503 Release 1 refcount change on invalid ref 0 ret -22 [ 2342.795801][T10506] binder_alloc: binder_alloc_mmap_handler: 10502 20001000-20004000 already mapped failed -16 [ 2342.885422][T10503] binder: BINDER_SET_CONTEXT_MGR already set [ 2342.900261][T10509] binder_alloc: 10502: binder_alloc_buf, no vma [ 2342.918102][T10503] binder: 10502:10503 ioctl 40046207 0 returned -16 [ 2342.946550][T10509] binder: 10502:10509 transaction failed 29189/-3, size 24-8 line 3147 17:25:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x4c, 0x0}) [ 2343.081713][T10511] binder: BINDER_SET_CONTEXT_MGR already set [ 2343.103046][T10511] binder: 10510:10511 ioctl 40046207 0 returned -16 [ 2343.119386][T25500] binder_release_work: 19 callbacks suppressed [ 2343.119394][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2343.135123][T10512] binder_alloc: 10502: binder_alloc_buf, no vma [ 2343.145483][T10512] binder: 10510:10512 transaction failed 29189/-3, size 24-8 line 3147 [ 2343.156226][T25500] binder: send failed reply for transaction 1113 to 10502:10503 [ 2343.172549][T10511] binder: 10510:10511 Release 1 refcount change on invalid ref 0 ret -22 [ 2343.184792][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2343.194113][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2343.204840][T10512] binder_alloc: binder_alloc_mmap_handler: 10510 20001000-20004000 already mapped failed -16 [ 2343.218500][T25500] binder: undelivered TRANSACTION_ERROR: 29189 17:25:52 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x0, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2343.230624][T10512] binder_alloc: 10510: binder_alloc_buf, no vma [ 2343.247260][T10512] binder: 10510:10512 transaction failed 29189/-3, size 24-8 line 3147 [ 2344.844696][T10475] device sit0 left promiscuous mode [ 2344.863195][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2344.867407][T10476] device sit0 entered promiscuous mode [ 2344.871579][T23288] binder: undelivered TRANSACTION_ERROR: 29189 17:25:53 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x60, 0x0}) 17:25:53 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$VIDIOC_QUERYCAP(r0, 0x80685600, &(0x7f0000000100)) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:53 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) fsetxattr$trusted_overlay_redirect(r1, &(0x7f0000000100)='trusted.overlay.redirect\x00', &(0x7f0000000140)='./file0\x00', 0x8, 0x1) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff833c, 0x500180de7f0000, 0x0, 0x0) 17:25:53 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2344.908154][T10514] device sit0 left promiscuous mode [ 2344.998598][T10520] binder: 10518:10520 Release 1 refcount change on invalid ref 0 ret -22 [ 2345.092784][T10528] binder_alloc: binder_alloc_mmap_handler: 10518 20001000-20004000 already mapped failed -16 [ 2345.140090][T10520] binder: BINDER_SET_CONTEXT_MGR already set [ 2345.173399][T10531] binder_alloc: 10518: binder_alloc_buf, no vma [ 2345.223622][T10528] binder: 10518:10528 Release 1 refcount change on invalid ref 0 ret -22 [ 2345.277360][T25500] binder: release 10518:10520 transaction 1121 out, still active [ 2345.279989][T10520] binder: 10518:10520 ioctl 40046207 0 returned -16 [ 2345.293170][T25500] binder: unexpected work type, 4, not freed [ 2345.311928][T10515] device sit0 entered promiscuous mode [ 2345.322433][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2345.346711][T25500] binder: send failed reply for transaction 1121, target dead [ 2345.347803][T10531] binder: 10518:10531 transaction failed 29189/-3, size 24-8 line 3147 17:25:54 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x10000, 0x0) recvfrom$llc(r3, &(0x7f0000000140)=""/110, 0x6e, 0x1, &(0x7f00000001c0)={0x1a, 0x31f, 0x75, 0x0, 0xfffffffffffffffb, 0x101, @local}, 0x10) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:25:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x68, 0x0}) 17:25:54 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r2, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2345.457973][T10522] device sit0 left promiscuous mode 17:25:54 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) fsetxattr$trusted_overlay_redirect(r1, &(0x7f0000000100)='trusted.overlay.redirect\x00', &(0x7f0000000140)='./file0\x00', 0x8, 0x1) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff833c, 0x500180de7f0000, 0x0, 0x0) [ 2345.580097][T10539] binder: 10535:10539 Release 1 refcount change on invalid ref 0 ret -22 [ 2345.611961][T10541] binder_alloc: binder_alloc_mmap_handler: 10535 20001000-20004000 already mapped failed -16 [ 2345.673697][T10539] binder: BINDER_SET_CONTEXT_MGR already set [ 2345.722232][T10539] binder: 10535:10539 ioctl 40046207 0 returned -16 [ 2345.770435][T10541] binder: 10535:10541 Release 1 refcount change on invalid ref 0 ret -22 17:25:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x6c, 0x0}) [ 2345.989409][T10548] binder: BINDER_SET_CONTEXT_MGR already set [ 2346.020965][T10548] binder: 10547:10548 ioctl 40046207 0 returned -16 [ 2346.035970][T10550] binder_alloc: 10535: binder_alloc_buf, no vma [ 2346.090760][T10548] binder: 10547:10548 Release 1 refcount change on invalid ref 0 ret -22 [ 2346.090788][T10550] binder: 10547:10550 transaction failed 29189/-3, size 24-8 line 3147 [ 2346.162485][T10550] binder_alloc: binder_alloc_mmap_handler: 10547 20001000-20004000 already mapped failed -16 [ 2346.202561][T10548] binder: BINDER_SET_CONTEXT_MGR already set [ 2346.223241][T10548] binder: 10547:10548 ioctl 40046207 0 returned -16 [ 2346.244328][T10550] binder_alloc: 10535: binder_alloc_buf, no vma [ 2346.265518][T10550] binder: 10547:10550 transaction failed 29189/-3, size 24-8 line 3147 17:25:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x74, 0x0}) [ 2346.361950][T10553] binder: BINDER_SET_CONTEXT_MGR already set [ 2346.384778][T10553] binder: 10552:10553 ioctl 40046207 0 returned -16 [ 2346.405799][T10553] binder_alloc: 10535: binder_alloc_buf, no vma [ 2346.427953][T10553] binder: 10552:10553 transaction failed 29189/-3, size 24-8 line 3147 [ 2346.458004][T10554] binder: 10552:10554 Release 1 refcount change on invalid ref 0 ret -22 [ 2346.493325][T10554] binder_alloc: binder_alloc_mmap_handler: 10552 20001000-20004000 already mapped failed -16 [ 2346.516674][T10524] device sit0 left promiscuous mode [ 2346.534568][T10553] binder: BINDER_SET_CONTEXT_MGR already set [ 2346.555525][T10527] device sit0 entered promiscuous mode [ 2346.564835][T10553] binder: 10552:10553 ioctl 40046207 0 returned -16 [ 2346.579485][T10554] binder_alloc: 10535: binder_alloc_buf, no vma [ 2346.603138][T10554] binder: 10552:10554 transaction failed 29189/-3, size 24-8 line 3147 [ 2346.617847][T10526] device sit0 entered promiscuous mode 17:25:55 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x7a, 0x0}) 17:25:55 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2346.760010][T10557] device sit0 left promiscuous mode [ 2346.779069][T10559] binder: BINDER_SET_CONTEXT_MGR already set [ 2346.819015][T10559] binder: 10558:10559 ioctl 40046207 0 returned -16 [ 2346.837178][T10561] device sit0 left promiscuous mode [ 2346.846963][T10564] binder_alloc: 10535: binder_alloc_buf, no vma [ 2346.868722][T10564] binder: 10558:10564 transaction failed 29189/-3, size 24-8 line 3147 [ 2346.899632][T10559] binder: 10558:10559 Release 1 refcount change on invalid ref 0 ret -22 [ 2346.927388][T10564] binder_alloc: binder_alloc_mmap_handler: 10558 20001000-20004000 already mapped failed -16 [ 2346.956256][T10559] binder: BINDER_SET_CONTEXT_MGR already set [ 2346.975895][T10559] binder: 10558:10559 ioctl 40046207 0 returned -16 17:25:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x300, 0x0}) [ 2347.109003][T10566] binder: BINDER_SET_CONTEXT_MGR already set [ 2347.135022][T10566] binder: 10565:10566 ioctl 40046207 0 returned -16 [ 2347.166891][T10566] binder: 10565:10566 Release 1 refcount change on invalid ref 0 ret -22 [ 2347.179136][T10562] device sit0 entered promiscuous mode [ 2347.216055][T10567] binder_alloc: binder_alloc_mmap_handler: 10565 20001000-20004000 already mapped failed -16 [ 2347.247371][T10566] binder: BINDER_SET_CONTEXT_MGR already set [ 2347.267132][T10566] binder: 10565:10566 ioctl 40046207 0 returned -16 17:25:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x500, 0x0}) [ 2347.438908][T10569] binder: BINDER_SET_CONTEXT_MGR already set [ 2347.466487][T10569] binder: 10568:10569 ioctl 40046207 0 returned -16 [ 2347.501038][T10563] device sit0 entered promiscuous mode [ 2347.517359][T10570] binder_alloc_new_buf_locked: 3 callbacks suppressed [ 2347.517368][T10570] binder_alloc: 10535: binder_alloc_buf, no vma 17:25:56 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2347.563464][T10569] binder: 10568:10569 Release 1 refcount change on invalid ref 0 ret -22 [ 2347.634157][T10570] binder_transaction: 3 callbacks suppressed [ 2347.634175][T10570] binder: 10568:10570 transaction failed 29189/-3, size 24-8 line 3147 [ 2347.670420][T10570] binder_alloc: binder_alloc_mmap_handler: 10568 20001000-20004000 already mapped failed -16 [ 2347.715899][T10569] binder: BINDER_SET_CONTEXT_MGR already set [ 2347.736640][T10569] binder: 10568:10569 ioctl 40046207 0 returned -16 [ 2347.736929][T10574] binder_alloc: 10535: binder_alloc_buf, no vma [ 2347.785098][T10574] binder: 10568:10574 transaction failed 29189/-3, size 24-8 line 3147 [ 2348.594001][T10572] device sit0 left promiscuous mode [ 2348.635956][T10573] device sit0 entered promiscuous mode [ 2348.768571][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2348.774983][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2348.781297][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2348.787521][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2348.793847][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2348.800117][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2348.806356][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2348.812662][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2348.818909][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2348.825188][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2348.831598][T23288] binder: send failed reply for transaction 1126 to 10535:10539 [ 2348.839298][T23288] binder: undelivered TRANSACTION_COMPLETE 17:25:57 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) fcntl$setstatus(r1, 0x4, 0x40400) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, &(0x7f0000000100)={0x0, 0x0, 0x5}) ioctl$DRM_IOCTL_GEM_OPEN(r2, 0xc010640b, &(0x7f0000000140)={r3, 0x0, 0x6}) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) setsockopt$rose(r0, 0x104, 0x7, &(0x7f00000001c0)=0x8, 0x4) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000cb3000/0x2000)=nil, 0x2000, 0x0, 0x5c833, 0xffffffffffffffff, 0x0) ioctl$FS_IOC_SETFSLABEL(r2, 0x41009432, &(0x7f0000000200)="e564c8d7689d666d00850d32a9c27f6ec5b68ad5a93d4235943a742bb2d538431a0b544a8f7f50a55e8545bc567e318268d64d1e285b655281c7a68fe371cecb11cc76410c704fa720ea419900516f1674499295c788da11d86dd578f9a851e2260ec3320d5bdf78cae5559a010641d4424e2315579c4220e5c65716c51e277aa3605bb8ca6e6950f3403a66bad6e9dc12d76e6b0d5dcbf90bb7cf069f8eaf0810a684fb12087d2459598eae0bdfa32aad06ab5f122e0dd09378434bebf7124b7e36a5914c91bd039a032f79aae6418a1461552770cf790fe674c44042a9e3b3e187c8d65c6a5ae497abf917dc9503dc42217621a1482314a37774ec01a8440b") ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) setxattr$security_smack_transmute(&(0x7f00000003c0)='./file0\x00', &(0x7f0000000400)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000440)='TRUE', 0x4, 0x1) getsockopt$bt_BT_SECURITY(r2, 0x112, 0x4, &(0x7f0000000180), 0x2) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000340)={0xffffffffffffffff, 0xffffffffffffff9c, 0x0, 0xe, &(0x7f0000000300)='/dev/admmidi#\x00', 0x0}, 0x30) bpf$BPF_PROG_GET_FD_BY_ID(0xd, &(0x7f0000000380)=r7, 0x4) 17:25:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x600, 0x0}) 17:25:57 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) lsetxattr$trusted_overlay_nlink(&(0x7f0000000100)='./file0\x00', &(0x7f0000000140)='trusted.overlay.nlink\x00', &(0x7f0000000180)={'L-', 0x7}, 0x28, 0x3) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:25:57 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) fsetxattr$trusted_overlay_redirect(r1, &(0x7f0000000100)='trusted.overlay.redirect\x00', &(0x7f0000000140)='./file0\x00', 0x8, 0x1) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff833c, 0x500180de7f0000, 0x0, 0x0) 17:25:57 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:57 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2348.970147][T10578] device sit0 left promiscuous mode [ 2348.987710][T10579] binder: 10575:10579 Release 1 refcount change on invalid ref 0 ret -22 [ 2349.051673][T10579] binder: BINDER_SET_CONTEXT_MGR already set [ 2349.057717][T10579] binder: 10575:10579 ioctl 40046207 0 returned -16 [ 2349.073568][T10589] binder: 10575:10589 Release 1 refcount change on invalid ref 0 ret -22 [ 2349.106195][T10582] device sit0 left promiscuous mode [ 2349.143782][T25500] binder: release 10575:10579 transaction 1140 out, still active [ 2349.152460][T10586] binder_alloc: binder_alloc_mmap_handler: 10575 20001000-20004000 already mapped failed -16 [ 2349.168001][T25500] binder: unexpected work type, 4, not freed [ 2349.203680][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2349.238531][T25500] binder: release 10575:10589 transaction 1143 out, still active [ 2349.288391][T25500] binder: unexpected work type, 4, not freed [ 2349.330941][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2349.343975][T25500] binder: send failed reply for transaction 1140, target dead [ 2349.361046][T25500] binder: send failed reply for transaction 1143, target dead 17:25:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x700, 0x0}) 17:25:58 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) fsetxattr$trusted_overlay_redirect(r1, &(0x7f0000000100)='trusted.overlay.redirect\x00', &(0x7f0000000140)='./file0\x00', 0x8, 0x1) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff833c, 0x500180de7f0000, 0x0, 0x0) 17:25:58 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$VIDIOC_QUERYCTRL(r2, 0xc0445624, &(0x7f0000000140)={0x3, 0x7, "58c2e10faa04709725b0f92d90d91e8074c6f8517f1185ec6f85b6217c6cc0cc", 0x0, 0x0, 0x0, 0x9, 0x10}) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) socket$inet6(0xa, 0x3, 0x8) accept4$inet(r0, 0x0, &(0x7f0000000100), 0x80000) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:25:58 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$KVM_TRANSLATE(r2, 0xc018ae85, &(0x7f0000000100)={0x15000, 0xf000, 0xde, 0x2, 0x9}) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2349.525443][T10597] binder: 10596:10597 Release 1 refcount change on invalid ref 0 ret -22 [ 2349.598183][T10602] binder_alloc: binder_alloc_mmap_handler: 10596 20001000-20004000 already mapped failed -16 [ 2349.643853][T10597] binder: BINDER_SET_CONTEXT_MGR already set [ 2349.675007][T10597] binder: 10596:10597 ioctl 40046207 0 returned -16 [ 2349.790224][T10607] binder_alloc: 10596: binder_alloc_buf, no vma [ 2349.824916][T10587] device sit0 entered promiscuous mode [ 2349.847642][T10607] binder: 10596:10607 transaction failed 29189/-3, size 24-8 line 3147 [ 2349.912638][T10588] device sit0 entered promiscuous mode 17:25:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0xa00, 0x0}) 17:25:58 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:25:58 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2350.097974][T10614] binder: BINDER_SET_CONTEXT_MGR already set [ 2350.132988][T10614] binder: 10611:10614 ioctl 40046207 0 returned -16 [ 2350.170628][T10616] binder_alloc: 10596: binder_alloc_buf, no vma [ 2350.178994][T10616] binder: 10611:10616 transaction failed 29189/-3, size 24-8 line 3147 [ 2350.215652][T10614] binder: 10611:10614 Release 1 refcount change on invalid ref 0 ret -22 [ 2350.276827][T10616] binder_alloc: binder_alloc_mmap_handler: 10611 20001000-20004000 already mapped failed -16 [ 2350.335313][T10616] binder_alloc: 10596: binder_alloc_buf, no vma [ 2350.357006][T10620] binder: BINDER_SET_CONTEXT_MGR already set [ 2350.377704][T10614] binder: 10611:10614 Release 1 refcount change on invalid ref 0 ret -22 [ 2350.407298][T10616] binder: 10611:10616 transaction failed 29189/-3, size 24-8 line 3147 [ 2350.437015][T10620] binder: 10611:10620 ioctl 40046207 0 returned -16 17:25:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x2000, 0x0}) [ 2350.593860][T10622] binder: BINDER_SET_CONTEXT_MGR already set [ 2350.610230][T10622] binder: 10621:10622 ioctl 40046207 0 returned -16 [ 2350.634889][T10622] binder_alloc: 10596: binder_alloc_buf, no vma [ 2350.650783][T10622] binder: 10621:10622 transaction failed 29189/-3, size 24-8 line 3147 [ 2350.674041][T10622] binder: 10621:10622 Release 1 refcount change on invalid ref 0 ret -22 [ 2350.712912][T10623] binder_alloc: binder_alloc_mmap_handler: 10621 20001000-20004000 already mapped failed -16 [ 2350.758798][T10622] binder: BINDER_SET_CONTEXT_MGR already set [ 2350.783598][T10622] binder: 10621:10622 ioctl 40046207 0 returned -16 [ 2350.783698][T10624] binder_alloc: 10596: binder_alloc_buf, no vma [ 2350.813340][T10624] binder: 10621:10624 transaction failed 29189/-3, size 24-8 line 3147 17:25:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x3f00, 0x0}) [ 2350.984277][T10626] binder: BINDER_SET_CONTEXT_MGR already set [ 2351.005253][T10626] binder: 10625:10626 ioctl 40046207 0 returned -16 [ 2351.029342][T10627] binder_alloc: 10596: binder_alloc_buf, no vma [ 2351.054124][T10627] binder: 10625:10627 transaction failed 29189/-3, size 24-8 line 3147 [ 2351.087196][T10626] binder: 10625:10626 Release 1 refcount change on invalid ref 0 ret -22 [ 2351.119217][T10627] binder_alloc: binder_alloc_mmap_handler: 10625 20001000-20004000 already mapped failed -16 [ 2351.149151][T10626] binder: BINDER_SET_CONTEXT_MGR already set [ 2351.169939][T10613] device sit0 left promiscuous mode [ 2351.183136][T10626] binder: 10625:10626 ioctl 40046207 0 returned -16 [ 2351.209613][T10627] binder_alloc: 10596: binder_alloc_buf, no vma [ 2351.221373][T10615] device sit0 entered promiscuous mode [ 2351.233271][T10627] binder: 10625:10627 transaction failed 29189/-3, size 24-8 line 3147 [ 2351.277998][T10618] device sit0 left promiscuous mode 17:26:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x4800, 0x0}) 17:26:00 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(0xffffffffffffffff, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2351.380125][T10630] binder: BINDER_SET_CONTEXT_MGR already set [ 2351.397928][T10630] binder: 10629:10630 ioctl 40046207 0 returned -16 [ 2351.408489][T10630] binder_alloc: 10596: binder_alloc_buf, no vma [ 2351.419757][T10630] binder: 10629:10630 transaction failed 29189/-3, size 24-8 line 3147 [ 2351.437386][T10630] binder: 10629:10630 Release 1 refcount change on invalid ref 0 ret -22 [ 2351.465505][T10634] binder_alloc: binder_alloc_mmap_handler: 10629 20001000-20004000 already mapped failed -16 [ 2351.483904][T10630] binder: BINDER_SET_CONTEXT_MGR already set [ 2351.493839][T10630] binder: 10629:10630 ioctl 40046207 0 returned -16 17:26:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x4c00, 0x0}) [ 2351.574589][T10619] device sit0 entered promiscuous mode [ 2351.631735][T10636] binder: BINDER_SET_CONTEXT_MGR already set 17:26:00 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2351.676787][T10636] binder: 10635:10636 ioctl 40046207 0 returned -16 [ 2351.700816][T10637] binder_alloc: binder_alloc_mmap_handler: 10635 20001000-20004000 already mapped failed -16 [ 2351.738136][T10636] binder: BINDER_SET_CONTEXT_MGR already set [ 2351.767347][T10636] binder: 10635:10636 ioctl 40046207 0 returned -16 [ 2352.251877][T23288] binder: send failed reply for transaction 1147 to 10596:10597 [ 2352.259766][T23288] binder: undelivered TRANSACTION_COMPLETE 17:26:01 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r2, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2353.187148][T10632] device sit0 left promiscuous mode 17:26:02 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000200)={r2, &(0x7f0000000100)="1923af37d8c56b9c1f0a12adbd81cbe67d0bf4653e49678bd7fbeca2553ae6cdb15c1e11426312eb324066043aa79696d8431e2f8bfede1b0818ba0bfeac246113b10910d1c989dd3e66a689dcad0d6264bcd663e343ff53d722d83117422796756a95eb249ea27b898b53f8ec3a6b9ec789c99f72b4acf5545b2fc26889b98b2acc39b3df30e7de7943fd9e349f8b88144542a9d47553010c8a63e1cf6a47774b907658af22498e0b07c92650a538ce0c85f79b4cd4f2ca81f9e49cf48007b0851161fafb0494bb5879e05d4ecb8fb2f3afafdafdf62d96bbeffb58d938946d1765b22c58e8e4886910c7b698fa4c875eddbf5d75f73129bb5a78"}, 0x10) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x6000, 0x0}) 17:26:02 executing program 0: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r3 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) fcntl$getownex(r0, 0x10, &(0x7f00000002c0)={0x0, 0x0}) r6 = getuid() getresgid(&(0x7f0000000300)=0x0, &(0x7f0000000340), &(0x7f0000000380)) r8 = getpgid(0x0) stat(&(0x7f00000003c0)='./file0\x00', &(0x7f0000000400)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000480)={0x0, 0x0, 0x0}, &(0x7f00000004c0)=0xc) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000500)=0x0) getresuid(&(0x7f0000000540), &(0x7f0000000580)=0x0, &(0x7f00000005c0)) fstat(r1, &(0x7f0000000600)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$sock_FIOGETOWN(r1, 0x8903, &(0x7f0000001940)=0x0) getsockopt$inet_IP_IPSEC_POLICY(r1, 0x0, 0x10, &(0x7f0000001980)={{{@in, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast2}, 0x0, @in6=@loopback}}, &(0x7f0000001a80)=0xe8) getgroups(0x2, &(0x7f0000001ac0)=[0xffffffffffffffff, 0xffffffffffffffff]) ioctl$TIOCGPGRP(r1, 0x540f, &(0x7f0000001ec0)=0x0) fstat(r3, &(0x7f0000001f00)={0x0, 0x0, 0x0, 0x0, 0x0}) r19 = getegid() r20 = gettid() r21 = geteuid() stat(&(0x7f0000001f80)='./file0\x00', &(0x7f0000001fc0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r23 = getpgrp(0xffffffffffffffff) stat(&(0x7f0000002040)='./file0\x00', &(0x7f0000002080)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000002100)={0x0, 0x0, 0x0}, &(0x7f0000002140)=0xc) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f00000021c0)={0xffffffffffffffff, r3, 0x0, 0x24, &(0x7f0000002180)='\\cpuset\xb1wlan0em0vmnet0GPL(system$*}\x00', 0xffffffffffffffff}, 0x30) getresuid(&(0x7f0000002200)=0x0, &(0x7f0000002240), &(0x7f0000002280)) stat(&(0x7f00000022c0)='./file0\x00', &(0x7f0000002300)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$sock_FIOGETOWN(r4, 0x8903, &(0x7f0000002380)=0x0) getresuid(&(0x7f00000023c0), &(0x7f0000002400)=0x0, &(0x7f0000002440)) stat(&(0x7f0000002480)='./file0\x00', &(0x7f00000024c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000002d00)={0xffffffffffffffff, r3, 0x0, 0x2, &(0x7f0000002cc0)=']\x00'}, 0x30) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f0000002d40)={0x0, 0x0}, &(0x7f0000002d80)=0xc) getgroups(0x7, &(0x7f0000002dc0)=[0xffffffffffffffff, 0x0, 0xee01, 0xee01, 0xffffffffffffffff, 0xee01, 0x0]) sendmmsg$unix(r1, &(0x7f0000002e40)=[{&(0x7f0000000100)=@file={0x0, './file0\x00'}, 0x6e, &(0x7f0000000280)=[{&(0x7f0000000180)="be52fa3f3364941d47f9f3c42864d51f5b7ebb9c4d4095efeabea1abdd72c2aaa2ed180a2f3efd04a53769e9f4bf849eff38e780b52a95315b0910cffae83a16d779b58f546652b7be775f0cb649ab258c3acae4efc3cd43e6ede65ea41534383509188b1ea00a078bc3c5dd436dc6cb972efac29acb1e1e1b67510a89aefbbb0f19b9973c1a87904ab3360706bc81bfbc58e3085a9bfa5699d3436bb9a84ed9a48cf474cac542e62b16f9f3593ed3c3e614a843d4b168a7fb2f3a0afd9f23d2a5edfa20775c0b87c7d16bea785ced9c0903ead7b0fa9c61a282038fc334d07e0108ae6d7e8718e0633c703d80", 0xed}], 0x1, &(0x7f0000000680)=[@rights={0x20, 0x1, 0x1, [r4, r3, r1, r1]}, @cred={0x20, 0x1, 0x2, r5, r6, r7}, @cred={0x20, 0x1, 0x2, r8, r9, r10}, @cred={0x20, 0x1, 0x2, r11, r12, r13}], 0x80, 0x40}, {&(0x7f0000000700)=@abs={0x1, 0x0, 0x4e20}, 0x6e, &(0x7f0000001900)=[{&(0x7f0000000780)="7b6b04134392cb7cd21dcfdc3eb3f5d5a348437775f600166951256915c518aa6b285823c2f682f3fecfcc3ef3fd7454eb59fef09d03bc169fe9d8ee05e21ce59a3e52cca0da3935022286a46ddc7f9f3f0b4d3ea72951e793a20015c7631cc2bf80202a3f4558eb20a1f85cdc9d5d79ebe0261d62df6f8359016bfe6f9b6d8afedeff9b8483348d51b07dd69e27ae5636a647a652ac9492fa7f2965d5c55650058bd194d080a4e7ffd0d27d2736c6997cb56456ed915219d3b6d786c63edfaf1a21469f1bac425ea147ffb449f4571e32491fbdc20debbfb0f04db9edf003969497d217ce899a1037eee8625365d02f7a0df06b9149f8daa7f3cda48589e3c3434d16dcd7d205c0db25a1ff6218a7c29780113b7c2d878b00701c08c3be68206ad5a44c8845f1e9517f299f1ea41a7ffc23e6cf82cfaccc9e235c0708d7ed38222f40ecd7fba7d24bd81fe2069100bcefa2ca15927d1ea7fccebab59f30774abe5d27b590b1b3ffe24fb11acf5ea036494fcad361464c156de05e513fe4f7f974417afa60ce9917d133a6f8f2e36633cde40a159577dc73601497917fe1fc5fbfdda276e15da933b5cd251760f63db35c8c52a200bbf900d59bd9d567fee6c135dd57e7597d5587ea52b7e03434bc66c7fa84820f592c48020525d41a4aa66cd1c87060e1d3b99ed5c15e966262628b633f7c1f655d2854a81f447c026cce5ff961acff0c13f1920e4824f6998232a254805debdc127e33a1b4438d7f10ea5fdaa55d23485e10249b67342a03dd4d782a79d0e5ab3316f11260d84f3be98a0a276ec06b9ef8a0813ec4ed499d8b854b6440666714251322d05c232d5a8a2b7b27f3b50da85ef9f0c4cbaaf86894051a9301d59cab91c71c5008b8c7dfe8080b5ea1738dcae4394be4391e524fb439e353733217fd1de53901aa21abda0ec901711fb1aaf0cfacde95e6b9046dff803b6b0d1c499f32443dd6b5e3ec7a7db8fc337cb791e858a61aa2cef7b672c578d1a15bfbbac7c800af885550277ca2beba45c796080644e67df980dcc3fcc8a1dd12186fc30c7565b41eff27345bb8b3671634d34da00a4427257a9d6bb3c8054a155eb79a905f2cc449e6ceea3478314cc39a1f79971f71207aa1698d82d72e1ca9fa631f31331ec015e921221b0774e110fc909f6f46434de0fbc32cb40b19051817da51b496d347750c6872d3804fc9987b1c3e3919e5ee47715b8545014cc2fb392f323a2fe9fa60e1d36eb7d0b470ef384e5de19d7a199b7aa7d66bf967052e4571f65c77b0d86e414027293cec5c12935f0912a4ef3011208d283ddacbb8a33b3543270e76a8ac4f9c5835e54a3e9993c2adfb5231268c88d0b34b1bb3014cfd5019d8356d13fa001f369b6abfec131c555c8960e0d2e22e4d430be2d58b9f4fdc2c7fe3b7469290115ba4f82861bbb48f5020b6a81a814416872a996c0ff469d7d4089a0a1ac2ff4f046a99893b286d451117e5e6161601c6031ff1def847481d2fd3c46873259f7583d72943ffe5195a44f2ead2f382747f83857d93d7208d1cf6fc979beb6d2477c598836b1266c516e665a529e18f990202f40523a349f667f950b84c87a38bffdb962f612768595c77904a548461950cd74c0449dfe9c01efa90f78e8d7a74c9e2c0f6048f73efb110effdf8ef9c5c8adeb3af87519c78fa732e26c6c08c344de7b36855f3ac5848dea221fe3b74574804ed3affdd406f2f6e3fc36f822f444fb09b542712a3bf8b1bfd1280524d19526eebd54e125f4534527a6e9ae17d04da2752d4e447ab50faccfb2cc14d2d4c957f5a2534946ed8fe2f8264f37ed065309104e3959f8cacfac02dafb4ade8b9b6c2cae26b2b9724280cda18946e6b672842a5ddab24bfde512473ba4261f30263714b7906551855dc66b9589ff1f3a9a8db3c38e4a90cf4dbbd0041bec0660a8f2b8e9ecd80701e5fa745926a72c85e83367a2552e63e6970fe19c1d9c6280c1882b2c44b0a22cb788dabae0b6a6e83b827dfc0e55adb7a5f8d40d4456f883da07deed9fc1da64d4165a6c2456dfb05ce5d5e037820cdb9b6348c14150e32e8ba93e9002a512cdb8a830e8b1c5f1d47c6ffd5a2abee168fcc110bb9dc0bfcd61bbbaa0359565714b5e792aeeaef938e417cabd73160a5bf4f47f76a9eab020a2c17011d8c8783e19422da72d56e9dcaa4ca64a464ce273085f981b48b7f06a0187cacb8e5e19dddc5d3f59bc3afad07f0512d89cf7f48ec81b16dbaeb779db9ab33257b694b739c0ad1072a01d4f1055d086a74dac10aa7a6fd1d627221350a31d374a848d913e3c8e3570b5c81bfb60ffac418daf6edb62f768d2ba980738e61a327591e992f5c9844c28135ff669d90f0abf5c431247c106b787ea28ddeed063da4729705e7f7705c24dbc0b2930003390059ec62e2bd34a70bd0a4d406fd07c36282a7c21734b207ecd99bb89932c450c24a2893aa89521bcd62107df5291f12031f8194af348a5d099a47567fc5b9dcb2ae92cc450824a5e48a9d874b1e6cf42b3329ced99f327d6dbe2b2be050f2e080571039e0ccc03744d9ae49c6e5cf92056382a53d579fc4bcf136bac45551b3d0d3cb88a128f8c2e675ed11c90076db277b9b2fc47c3ffb20079c687b77e0fd0709c2149c6e6905fdc9772f208784b82e9e08489908d6286210e04386659b36b70a48d5850da3f5930bb8443b7579d9dc3043711b16c30a8f229a15e89bd10780d37dde7880800bfe05e32901ca0fdc69b24bdd8601e3c9c3186f953787c94276891ca3f9c2b5719ee39c26bd232b91d8ceda5d804264793975426c338a3482e9b568e52b8833ccc9c6a0c3c5b1b476150e554a5e2316fecad8cd7e00ad50fed2e97a5d0f0ec1cb314f09d0932043a7b6aecc391a876ecb672af7998c1a7ccbf7a454f68790d4bf9282cc5d149be3dbe0aba93c146b4fcec26038cb918ce4a534b05298350968aa7e98fc3391e011fbb72929229d57108b70d065819f0a7c21b358dc41ee13c33766bfb39f73a88fe21b949146f630904478d33815f9c551e95d926c2f791f0158dded90e7e49ee248ef9cebe6b34ae1989057ba664c2cc7a663acaf8c5e9cc731c57a9937ce93cff783e91ef17b8251883600d9d52e5ed27950447455842cfe002b3639a4a0695b3deabe622f87c2a60c7cfa655cdccc1df0a9b2c5c814b0b9f1a5e2f6b6fb952d5cdc084e9842c3cdf64dfec5076156a25f6cda3f7ac66e8f8f7c6c66ab6c07ebf4716aee61557f6be6a7f1029dd0965a4401a211aff74e2e7a9b0bfffe9694dddf4d9f676b2b3998c1982d3b658fd8eba526083e54c567871c31d2de2df5b09ee8c4b64501ccbf667244c5ee7cf84abcc3a94af66f2bc2fcf5150e58b0a00cffa855dc26b6e0209131f591eb94ef66880f3a2ccd7212b667d41d261cfefac858574de038aa8618e4bd4914a8553d3552b21cba258d0fab0dc70e7e688366c208ee22fedb74089d98e83861e215afaf91d60046feba5fe4884e51ae2ffa5cb3170118588d0e5d5b5561110c79bf0a3ba012473394e83d2ab73a17343fa0d155a6fa20ed23e1ded7ba48143ff7df52cc9cae2f5ae6c718c3cfccfb3128c6d170320b12b7b7c67ca93852a7ec029e333549617e8d0ee8240af00ac94318bfc0fc283213dc0092f15bc767efde783289cb17c794b68492f45f05618738f00117444f01b37c529d78dc6551f5fe51dfdb45af71d13e1354108e8a98c14e95829c3cf27272768410f79a8e631f0da7e5cb1cd7f74da9d3ad47b4e023b4c1eeff2fd34268bbe369e1dd62842a3556f1ae8bdf6d8c07a0786db3efc36255464739354e300adc46ddc2e41f367e987300088ee3e4bb47ff3fca87ccd5fea7ec0156bd3f91ac6b928cf5ebf028002189c328c0ae9d74938587072d5fb3324fa1f35e5eec8490af331947331fc34891d29b8bcc99fc09a7d079817ea6087fc2ad77c67221c31f984e4c6149694b06ccd5065625a4e98250860d3bf37baa6489e190a2088e733420e1bd95aacb166d052f9ff58cdeecd1e5d9a41442aa4d6c4ae69573c7b727f3cfe34ec756c15553604c405157b9a4bbdbf3f6190b076ce2be5ca9bde6c63a20dbc0a068d47c74318ac3eb6618f681f31583257b5f25142a6f1e0c3e79a8fb2596b415fee7df757851ef277ed71b796871f9382f48647eb6fc1384e75e29c732434ca2452c1a61082744c24084f211da54d2b50885e1154c8df024a0148d8c3a986eb620eb19fdca8f9280f1bc464fccd939049fab53c546273e88bef11805ea54cb2f0e20111cfd47f7f73093b19fa04ad4c128f341e6d2c7fa56024ed5871f088344821f168e41e1a5c3277503f8c4659608ac46d2b89db4fbd0630a3ca502dbdd946b9649dcbb7103a19bdea8a1bb67b4c9fbbf62052ea244cf714b32d90dbf09ba83ecfdf361ac42c5e7406465574eb5aa668a258d5184881311c289c5b67392ba73c3445a14cec0faddf32f27b9aee9a8c572c4873e74a283ac62412994d0161517d7278d0409e851950a90708fdb1b470a5eed40fdb141f13ec3271c2de5c496b00caeb674b44ef25f2d0e9a987056a1b2d3b7b32356bdc65e7c77658450d8e3ada31345355934d6efbdeb84d9e36c1cfdd5cb3db18c7e92afc4feaf0ab0421ae201307dfa9c19ed139d5ea50c8acd39e3fde37472438e312c7fc4bb7be62797a64829bf7f46c702e4e53391cf1e484dcc4ef515362ee2fc806607b06357f28bf49c6fd3da2778249011a7b1398763e4c2ca4a7c2b5d6561ff88623850ee81fbfc1a83ab97003dd09c0a473c81dd388a3829f47db60f230938090383fda59a17f4d0d62c5a268bde39b6ac0c153d80ceadee6da9e3f65f63026b6664489a6b7f539089328c6d14980f8a4f120e6d742a58c22494d8eb9e5b184c31843f7329e29dcbb341a149f19349f867e2f820dcdea2b7799074d05e0bd825672e765811bf752f48e83de64223df55fd6b7b07765442d2b73db55466734f98b9101a8ef96b04dc4b438ea1b3fd69cb3e672003e871634780e67a0d20004b3d6490e8592d1365fe5fec9bb705ceb61f919e0f4d9c301c875d764c706b681671716d293dd46938e54bbfa5c8aed3b9c7b5d4899d5b91374862b5fa19af3615a916920605b67104d4e748c3235495f5b027028324afaaee3d00557291563f1f719267440422baaa4fb7365f5bd24b7f3c01c8e994ae465dc68974e055f6eee9765baee7f3d2eb65f6ca281ae697fb42ab0c21ccfc63663eb696b7d4d13d85e341645dd21728f71656b586401ab1869b7cb188d2f51d906dc35904c6295d0255d2bd1d558adb4fa1e7118d5f35cb3bfe084d20dc6001d6323ab6865de069ee86207e923b911d8d2b6960bb469da5fb7de00849eb35d503c9f11d48f5d093f2c090e76b4de59a987e12fdf49bc900802d5ad8fd013ffae0e71cb18242597d644b2d8415efe83149d330cc93d081465a2501f64b51965ad23f0423fd4c235b5e98b776bf84cbb83e9268c65c521306c3d3734e231dd33e9a6ee8485a8b51548015ba6ca2e9abbb56f218fd7f9c3a933b25530261868d52ee099f64ee64425853b186ec651fdc20a3e3cd9a649b59798700912795354ad894b6b073f5867f489783a4e35c104ef76080c2622eb712a2da8f2b7ee53b0aa260200bd36b966424e98f9f00af2e6c0c116144efb32b510896b901dfd35ad659883d0f90f583be99cea7656d95bb48df5567bb6c42f471797979d6328c00afbc754f", 0x1000}, {&(0x7f0000001780)="a6e5f8bd48af6448bc151872cf7c32be92e663dcea2773df8c29c33d4ff7a371c5f9d4d8a695884e5613ff6f0f2f05ef69847d5cb9499800", 0x38}, {&(0x7f00000017c0)="741b8b6e81e736f496f3df1211da4a015eaf8a47b29fff21c529d61f97c36c3d1b85124e406a731352003804377d4ae7a398ced4e41191200ba0a6587c", 0x3d}, {&(0x7f0000001800)="d8dd508e49f007a3aaad97c12c9f5bf68ad4555f09b71315111b675a76027b6d57eb4582947d4a8f8f3016232e9aecbbdc699df83618da153e48aaa76781bff8e69e8118d5c00e51c14b2292c3e95dc54dafd84232c768afa3259068ea43ddb36ad8ebb8d0092240f10c15afc7c62cc2be7f0738aadb1bb9db79b48639921eaf1e0bfe72411431f65cbbdd3305a428a7d3cb05d63e53576b943afa38373dd9a685362881f8e7f0e9b9afa745c96a67796424618402a79135d3e1f4b665af58ea31a9c6b562d0d373047c37dbd39139f368de7b47b51e8c317276fc", 0xdb}], 0x4, &(0x7f0000001b00)=[@rights={0x20, 0x1, 0x1, [r4, r4, r1]}, @rights={0x20, 0x1, 0x1, [r3, r1, r2, r2]}, @cred={0x20, 0x1, 0x2, r14, r15, r16}], 0x60, 0x20008010}, {&(0x7f0000001b80)=@abs={0x1, 0x0, 0x4e20}, 0x6e, &(0x7f0000001e80)=[{&(0x7f0000001c00)="2ac5b2f783886d5b2af8b44c91123c16eafe9b01b40f544a77154e8419503b4ccfec14c6a6741fbc602a12f687c663809637724f532983a9408234aae5119ec1786ff2fdbe2a24b23d805d1196878a7f2fe06e2d2a53b60b868739c36e0f4689c8df9f706da27741fa333ba966a44aeb08c925dcad4af086a2ba8e7ba0a0c3f0b674b45608c1", 0x86}, {&(0x7f0000001cc0)="384e8a71ad8ead51ed1609aad4494cecdaafc4dc834daf42b8dcb4ed9a174a7921db44e4145f231d47828b6623e60edb09c9f0ce96409b54b2d1f5cde4de4399d535278d1876e73afdc639ba9cbbeaaeb5d025d8aea296ea3b772ccb94bfcc55a8beb5bd5ec458dcc0d7aaf1ab4ed79a85e829ea4b7fd63f130ef20d48bbd60e9c07b7b78be97c1ff99a960814a878fbd051303d16ee15f33b8de5f1bbb3fef70ed67b237446c620244c1d7db98a30d7c88488f90234bb6bdbba07cc9eb912da56a66244d2cd7b2a15672916983f62fae728c4925680701db1f943ed", 0xdc}, {&(0x7f0000001dc0)="57a81afcacccd59338a121d238d5521a678b9b25ec4357b5c4f381f5e5cf8ae193b76a5541cd628270beac5f32247b1bd991bf881c8f5cacb95060571ddbcba507ca0db468042a207b478f1a074505ab8473591382bebbe55945c97a73560c9fbd834e935b350fa5c0b637d39c5e19b2248e8b9ad6e503", 0x77}, {&(0x7f0000001e40)}], 0x4, &(0x7f0000002540)=[@cred={0x20, 0x1, 0x2, r17, r18, r19}, @rights={0x18, 0x1, 0x1, [r0, r0]}, @cred={0x20, 0x1, 0x2, r20, r21, r22}, @cred={0x20, 0x1, 0x2, r23, r24, r25}, @cred={0x20, 0x1, 0x2, r26, r27, r28}, @rights={0x18, 0x1, 0x1, [r1]}, @rights={0x18, 0x1, 0x1, [r1]}, @rights={0x18, 0x1, 0x1, [r0, r1]}, @cred={0x20, 0x1, 0x2, r29, r30, r31}], 0x100, 0x4000000}, {&(0x7f0000002640)=@abs={0x1, 0x0, 0x4e22}, 0x6e, &(0x7f0000002880)=[{&(0x7f00000026c0)="dcbdf6eb7318fd4864935595a7095dfd53d9fc9a16aa6d2704c1e4c4501b6fc662a240531f96b4d05b90c9d62a34fa3713327838f79c96ece6e5a4eed6b7e7dddbbbd5d1b80e5f25a617f0b503a2034d9082b8ca8245644737f5d0d895c9ea8070f473246850ae4703767d3c2dc268a39967c6bee292daaf4a8afb488a0f8cd76a27bab91c1148724d9a78f1db7315ff59fdef3aab", 0x95}, {&(0x7f0000002780)="c4e45fa6fd9fa469063f7b2a632251a793af38c9cd6ae582d2886a7bc9027b26210c2fc9a73e0f73d77b53210a2aa722345cb9ef598cd202c9b9d19fc4fb34ab90172c3d866a6bc4504b3efb483d3a499a43c69321edf1d20f99ed8b7be50a040e826eb7307307464f457166c4a140bc95a29684c5d43f6510f89687aafb348ca4114ca5f6ff2639c9f9e0c6a8cb137151253d2c536a22b5cc0e26b4ad3219728c41e90fa0a5a85144b2effc878af8ccfb8ca55a25aa5346f68ee0635d52e445284ea8f0692cab915d50e99e5b26fc", 0xcf}], 0x2, 0x0, 0x0, 0x4000041}, {&(0x7f00000028c0)=@abs={0x0, 0x0, 0x4e23}, 0x6e, &(0x7f0000002ac0)=[{&(0x7f0000002940)="383923ff858fbe63830b041366aaa18c2940782805d7e13b8c49ad096eae0fc64575d0b56203fdc5e950cb8782ea161b4c606e4910055140c5b576ad0b82d36a2dcd2fe256874c4837ee601ff490acb2f18ec47b2d9d96fd443d57f6331480d47dd10318fb87e6f034bdad486cd8e4287c8923613fc413fbe9354965c2de670d9ed25ac8fb70", 0x86}, {&(0x7f0000002a00)="9170bf19a9", 0x5}, {&(0x7f0000002a40)="08214b6f94f9412f5d963cc894cd2a000bdb9b31", 0x14}, {&(0x7f0000002a80)="81aaf9201b272153248fc3ff442558e45027a13cccede7d16deae61c4ff06831176a0c", 0x23}], 0x4, 0x0, 0x0, 0x20040000}, {&(0x7f0000002b00)=@abs={0x1, 0x0, 0x4e20}, 0x6e, &(0x7f0000002c80)=[{&(0x7f0000002b80)="f9c72aff6a59ea0048c94d0038cd07b952ca8877e387f6575ca9f5a8adbd69485ccb7802beb9018b0e1c241f08a47465754b60e6bfe93862afec4fe68f18bbdb833fdad92fc13830552a8dadc6853b98", 0x50}, {&(0x7f0000002c00)="c1c0faa65267ca9463e5c74d3213a8684edd73ca656644dc18b9de9f125bd40e5888daaeadbdfb64dc5ff31f780a12449754e56dbf60454d96e878a18485949dc3edc4973b0679231dd29a08927ee16c07d2cf3da86a88c5f467f7c517e50a7969ec123bb46370363d7d", 0x6a}], 0x2, &(0x7f0000002e00)=[@cred={0x20, 0x1, 0x2, r32, r33, r34}], 0x20, 0x40}], 0x6, 0x10) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r35 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r36 = ioctl$KVM_CREATE_VCPU(r35, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r4, r36, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2353.232615][T10633] device sit0 entered promiscuous mode [ 2353.298831][T10639] device sit0 left promiscuous mode [ 2353.317653][T10645] binder_thread_write: 1 callbacks suppressed [ 2353.317669][T10645] binder: 10643:10645 Release 1 refcount change on invalid ref 0 ret -22 17:26:02 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(0xffffffffffffffff, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2353.419361][T10651] binder_alloc: binder_alloc_mmap_handler: 10643 20001000-20004000 already mapped failed -16 [ 2353.494826][T10645] binder: BINDER_SET_CONTEXT_MGR already set [ 2353.535785][T10645] binder: 10643:10645 ioctl 40046207 0 returned -16 17:26:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x6800, 0x0}) [ 2353.626804][T25500] binder: send failed reply for transaction 1162 to 10643:10645 [ 2353.671826][T25500] binder: undelivered TRANSACTION_COMPLETE 17:26:02 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r2, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2353.729289][T10641] device sit0 entered promiscuous mode [ 2353.766488][T10660] binder: 10659:10660 Release 1 refcount change on invalid ref 0 ret -22 [ 2353.828981][T10663] binder_alloc: binder_alloc_mmap_handler: 10659 20001000-20004000 already mapped failed -16 [ 2353.866162][T10660] binder: BINDER_SET_CONTEXT_MGR already set 17:26:02 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2353.897539][T10660] binder: 10659:10660 ioctl 40046207 0 returned -16 [ 2353.926547][T10663] binder_alloc_new_buf_locked: 3 callbacks suppressed [ 2353.926557][T10663] binder_alloc: 10659: binder_alloc_buf, no vma [ 2353.950325][T10663] binder_transaction: 3 callbacks suppressed [ 2353.950343][T10663] binder: 10659:10663 transaction failed 29189/-3, size 24-8 line 3147 [ 2354.045997][T10668] misc userio: Invalid payload size 17:26:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x6c00, 0x0}) [ 2354.145454][T10670] binder: BINDER_SET_CONTEXT_MGR already set [ 2354.157560][T10670] binder: 10669:10670 ioctl 40046207 0 returned -16 [ 2354.180001][T10670] binder_alloc: 10659: binder_alloc_buf, no vma [ 2354.195539][T10670] binder: 10669:10670 transaction failed 29189/-3, size 24-8 line 3147 [ 2354.218805][T10670] binder: 10669:10670 Release 1 refcount change on invalid ref 0 ret -22 [ 2354.241158][T10671] binder_alloc: binder_alloc_mmap_handler: 10669 20001000-20004000 already mapped failed -16 [ 2354.287935][T10670] binder: BINDER_SET_CONTEXT_MGR already set [ 2354.296712][T10671] binder_alloc: 10659: binder_alloc_buf, no vma [ 2354.311434][T10670] binder: 10669:10670 ioctl 40046207 0 returned -16 [ 2354.327289][T10671] binder: 10669:10671 transaction failed 29189/-3, size 24-8 line 3147 17:26:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x7400, 0x0}) [ 2354.424350][T10674] binder: BINDER_SET_CONTEXT_MGR already set [ 2354.437712][T10674] binder: 10673:10674 ioctl 40046207 0 returned -16 [ 2354.460113][T10674] binder_alloc: 10659: binder_alloc_buf, no vma [ 2354.475802][T10674] binder: 10673:10674 transaction failed 29189/-3, size 24-8 line 3147 [ 2354.497984][T10674] binder: 10673:10674 Release 1 refcount change on invalid ref 0 ret -22 [ 2354.526884][T10675] binder_alloc: binder_alloc_mmap_handler: 10673 20001000-20004000 already mapped failed -16 [ 2354.567620][T10675] binder: BINDER_SET_CONTEXT_MGR already set [ 2354.595515][T10675] binder: 10673:10675 ioctl 40046207 0 returned -16 [ 2354.595550][T10676] binder_alloc: 10659: binder_alloc_buf, no vma [ 2354.625001][T10676] binder: 10673:10676 transaction failed 29189/-3, size 24-8 line 3147 17:26:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x7a00, 0x0}) [ 2354.745377][T10678] binder: BINDER_SET_CONTEXT_MGR already set [ 2354.765624][T10678] binder: 10677:10678 ioctl 40046207 0 returned -16 [ 2354.786280][T10678] binder_alloc: 10659: binder_alloc_buf, no vma [ 2354.804194][T10678] binder: 10677:10678 transaction failed 29189/-3, size 24-8 line 3147 [ 2354.827167][T10678] binder: 10677:10678 Release 1 refcount change on invalid ref 0 ret -22 [ 2354.853378][T10679] binder_alloc: binder_alloc_mmap_handler: 10677 20001000-20004000 already mapped failed -16 [ 2354.894165][T10680] binder_alloc: 10659: binder_alloc_buf, no vma [ 2354.894369][T10679] binder: BINDER_SET_CONTEXT_MGR already set [ 2354.912006][T10680] binder: 10677:10680 transaction failed 29189/-3, size 24-8 line 3147 [ 2354.925868][T10679] binder: 10677:10679 ioctl 40046207 0 returned -16 17:26:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x1000000, 0x0}) [ 2355.100695][T10682] binder: BINDER_SET_CONTEXT_MGR already set [ 2355.117287][T10682] binder: 10681:10682 ioctl 40046207 0 returned -16 [ 2355.135427][T10682] binder_alloc: 10659: binder_alloc_buf, no vma [ 2355.153537][T10682] binder: 10681:10682 transaction failed 29189/-3, size 24-8 line 3147 [ 2355.176555][T10682] binder: 10681:10682 Release 1 refcount change on invalid ref 0 ret -22 [ 2355.202701][T10683] binder_alloc: binder_alloc_mmap_handler: 10681 20001000-20004000 already mapped failed -16 [ 2355.241504][T10684] binder_alloc: 10659: binder_alloc_buf, no vma [ 2355.241761][T10683] binder: BINDER_SET_CONTEXT_MGR already set [ 2355.257954][T10684] binder: 10681:10684 transaction failed 29189/-3, size 24-8 line 3147 [ 2355.287748][T10683] binder: 10681:10683 ioctl 40046207 0 returned -16 17:26:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x2000000, 0x0}) [ 2355.394474][T10686] binder: BINDER_SET_CONTEXT_MGR already set [ 2355.411210][T10686] binder: 10685:10686 ioctl 40046207 0 returned -16 [ 2355.429490][T10686] binder_alloc: 10659: binder_alloc_buf, no vma [ 2355.447534][T10686] binder: 10685:10686 transaction failed 29189/-3, size 24-8 line 3147 [ 2355.471855][T10686] binder: 10685:10686 Release 1 refcount change on invalid ref 0 ret -22 [ 2355.496971][T10687] binder_alloc: binder_alloc_mmap_handler: 10685 20001000-20004000 already mapped failed -16 [ 2356.436847][T10654] device sit0 left promiscuous mode [ 2356.445426][T23288] binder_release_work: 15 callbacks suppressed [ 2356.445433][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2356.476292][T10657] device sit0 entered promiscuous mode [ 2356.483560][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2356.494385][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2356.507701][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2356.526375][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2356.546650][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2356.566784][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2356.583962][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2356.594579][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2356.603070][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2356.609467][T23288] binder: send failed reply for transaction 1166 to 10659:10660 [ 2356.623583][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2356.634030][T10667] device sit0 left promiscuous mode 17:26:05 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x9, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS(r2, 0xc05c5340, &(0x7f0000000100)={0x1f, 0x2, 0x5, {}, 0x7, 0x81e}) 17:26:05 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(0xffffffffffffffff, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x3000000, 0x0}) 17:26:05 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r2, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:05 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) ioctl$KVM_SET_CPUID(r0, 0x4008ae8a, &(0x7f0000000100)={0x3, 0x0, [{0x40000007, 0x0, 0x3, 0x9}, {0x8000000f, 0x4, 0x9, 0xffffffffffffffe0, 0x81}, {0x80000002, 0x5, 0x8, 0x6, 0x7}]}) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$RTC_WIE_ON(r0, 0x700f) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2356.792121][T10692] binder: 10691:10692 Release 1 refcount change on invalid ref 0 ret -22 [ 2356.859524][T10699] binder_alloc: binder_alloc_mmap_handler: 10691 20001000-20004000 already mapped failed -16 [ 2356.904916][T10692] binder: BINDER_SET_CONTEXT_MGR already set [ 2356.938947][T10692] binder: 10691:10692 ioctl 40046207 0 returned -16 [ 2357.010326][T25500] binder: send failed reply for transaction 1181 to 10691:10692 [ 2357.029442][T25500] binder: undelivered TRANSACTION_COMPLETE 17:26:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x4000000, 0x0}) [ 2357.153724][T10668] device sit0 entered promiscuous mode [ 2357.228263][T10708] binder: 10707:10708 Release 1 refcount change on invalid ref 0 ret -22 [ 2357.252252][T10709] binder_alloc: binder_alloc_mmap_handler: 10707 20001000-20004000 already mapped failed -16 17:26:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x2000000, 0x0}) [ 2357.274572][T10708] binder: BINDER_SET_CONTEXT_MGR already set [ 2357.289055][T10708] binder: 10707:10708 ioctl 40046207 0 returned -16 [ 2357.304587][T25500] binder: release 10707:10708 transaction 1186 out, still active [ 2357.317702][T25500] binder: unexpected work type, 4, not freed 17:26:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x5000000, 0x0}) [ 2357.343353][T10711] binder: BINDER_SET_CONTEXT_MGR already set [ 2357.346689][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2357.354093][T10711] binder: 10710:10711 ioctl 40046207 0 returned -16 [ 2357.376782][T25500] binder: send failed reply for transaction 1186, target dead [ 2357.410558][T10711] binder: 10710:10711 Release 1 refcount change on invalid ref 0 ret -22 [ 2357.421569][T10714] binder_alloc: binder_alloc_mmap_handler: 10712 20001000-20004000 already mapped failed -16 [ 2357.448483][T10713] binder: BINDER_SET_CONTEXT_MGR already set 17:26:06 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x6000000, 0x0}) [ 2357.463006][T10713] binder: 10712:10713 ioctl 40046207 0 returned -16 [ 2357.580096][T10718] binder: BINDER_SET_CONTEXT_MGR already set [ 2357.589976][T10718] binder: 10717:10718 ioctl 40046207 0 returned -16 [ 2357.605337][T10719] binder: BINDER_SET_CONTEXT_MGR already set [ 2357.656928][T10719] binder: 10717:10719 ioctl 40046207 0 returned -16 [ 2357.663901][T10720] misc userio: Invalid payload size 17:26:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x7000000, 0x0}) [ 2357.751871][T10723] binder: BINDER_SET_CONTEXT_MGR already set [ 2357.757917][T10723] binder: 10722:10723 ioctl 40046207 0 returned -16 [ 2357.792100][T10723] binder: BINDER_SET_CONTEXT_MGR already set [ 2357.798126][T10723] binder: 10722:10723 ioctl 40046207 0 returned -16 17:26:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0xa000000, 0x0}) [ 2357.912320][T10726] binder: BINDER_SET_CONTEXT_MGR already set [ 2357.932223][T10726] binder: 10725:10726 ioctl 40046207 0 returned -16 [ 2357.966304][T10727] binder: BINDER_SET_CONTEXT_MGR already set [ 2357.988616][T10727] binder: 10725:10727 ioctl 40046207 0 returned -16 [ 2359.463787][T10690] device sit0 left promiscuous mode [ 2359.478859][T23288] binder: send failed reply for transaction 1192 to 10712:10713 [ 2359.501689][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2359.509045][T10700] device sit0 entered promiscuous mode [ 2359.532391][T10716] device sit0 left promiscuous mode 17:26:08 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x20000000, 0x0}) 17:26:08 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x8018af1c7f0000, 0x0, 0xa0008000) 17:26:08 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) ppoll(&(0x7f0000000180)=[{r0, 0x400}, {r0, 0x7180}], 0x2, &(0x7f00000001c0), &(0x7f0000000200)={0x4}, 0x8) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000200000/0x2000)=nil, 0x2000, 0x0, 0x20010, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000240)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) sendto$unix(r0, &(0x7f0000000100)="8de136d45b0553bf4e0502f43405d51602f9eb75666ed6602546d7dbb38867e86d2dd8eb48573357191355a3a7d537b7a74bee440d4ed36b985e7dbfeda5f134b26b1b9b5d32c36b285a648e3cd69a62c4967aae5f5a9d3c8e671d423febe8b1cf69cbd8d3307b1f89f9199165079f363af4d931", 0x74, 0x4040, 0x0, 0x0) 17:26:08 executing program 4: r0 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x10000, 0x0) ioctl$SG_GET_NUM_WAITING(r0, 0x227d, &(0x7f0000000280)) ioctl$FS_IOC_ENABLE_VERITY(r0, 0x6685) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x80000000000000, 0x80000001, 0x0, 0x0, 0x7f, 0x10001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r0, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000240)='/dev/vbi#\x00', 0x0, 0x2) socket$inet6_dccp(0xa, 0x6, 0x0) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(0xffffffffffffffff, 0x84, 0x6d, &(0x7f0000000100)={0x0, 0x58, "1132281e801ca7b7ea018def01a78c3782604a74bcd755769c76c069426d6c1a81f8d6b9d36ff5aa4f74f5ab8faa6237deae5989132b1893d9fda080fe67b467680949b9ef2d6dfbc48de939252f2242c137d7a82c2ba351"}, &(0x7f0000000180)=0x60) getsockopt$inet_sctp_SCTP_MAXSEG(r3, 0x84, 0xd, &(0x7f00000001c0)=@assoc_id=r4, &(0x7f0000000200)=0x4) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) syz_open_dev$cec(&(0x7f00000002c0)='/dev/cec#\x00', 0x1, 0x2) syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) r5 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2359.714899][T10735] binder_thread_write: 4 callbacks suppressed [ 2359.714915][T10735] binder: 10734:10735 Release 1 refcount change on invalid ref 0 ret -22 [ 2359.762696][T10740] binder_alloc_mmap_handler: 3 callbacks suppressed [ 2359.762714][T10740] binder_alloc: binder_alloc_mmap_handler: 10734 20001000-20004000 already mapped failed -16 [ 2359.807774][T10735] binder: BINDER_SET_CONTEXT_MGR already set [ 2359.847462][T10735] binder: 10734:10735 ioctl 40046207 0 returned -16 [ 2359.930443][T10744] binder_alloc_new_buf_locked: 10 callbacks suppressed [ 2359.930451][T10744] binder_alloc: 10734: binder_alloc_buf, no vma 17:26:08 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) r2 = syz_genetlink_get_family_id$net_dm(&(0x7f0000000180)='NET_DM\x00') sendmsg$NET_DM_CMD_START(r0, &(0x7f0000000240)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000200)={&(0x7f00000001c0)={0x14, r2, 0x10, 0x70bd26, 0x25dfdbfc, {}, ["", "", "", "", "", "", "", "", ""]}, 0x14}, 0x1, 0x0, 0x0, 0x50}, 0x4000) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000100)='threaded\x00', 0x9) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2359.980173][T10744] binder_transaction: 11 callbacks suppressed [ 2359.980191][T10744] binder: 10734:10744 transaction failed 29189/-3, size 24-8 line 3147 [ 2360.078110][T10720] device sit0 entered promiscuous mode 17:26:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x3f000000, 0x0}) [ 2360.201575][T10730] device sit0 left promiscuous mode 17:26:09 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:09 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2360.303059][T10750] binder: BINDER_SET_CONTEXT_MGR already set 17:26:09 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$VIDIOC_ENUMAUDOUT(r2, 0xc0345642, &(0x7f0000000100)={0x400, "db1242cc6cd3a14e6a97468793de18241a1ba78002c62ac00c3caa1cecfa797e", 0x2, 0x1}) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2360.343691][T10750] binder: 10749:10750 ioctl 40046207 0 returned -16 [ 2360.373604][T10756] device sit0 left promiscuous mode [ 2360.385817][T10757] binder_alloc: 10734: binder_alloc_buf, no vma [ 2360.431569][T10750] binder: 10749:10750 Release 1 refcount change on invalid ref 0 ret -22 [ 2360.479533][T10757] binder: 10749:10757 transaction failed 29189/-3, size 24-8 line 3147 [ 2360.512215][T10760] misc userio: Invalid payload size [ 2360.520088][T10757] binder_alloc: binder_alloc_mmap_handler: 10749 20001000-20004000 already mapped failed -16 [ 2360.565742][T10750] binder: BINDER_SET_CONTEXT_MGR already set [ 2360.589349][T10750] binder: 10749:10750 ioctl 40046207 0 returned -16 [ 2360.618481][T10765] binder_alloc: 10734: binder_alloc_buf, no vma [ 2360.647101][T10765] binder: 10749:10765 transaction failed 29189/-3, size 24-8 line 3147 17:26:09 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x48000000, 0x0}) 17:26:09 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2360.794184][T10768] binder: BINDER_SET_CONTEXT_MGR already set [ 2360.820592][T10760] device sit0 entered promiscuous mode [ 2360.830424][T10768] binder: 10767:10768 ioctl 40046207 0 returned -16 [ 2360.855528][T10769] binder_alloc: 10734: binder_alloc_buf, no vma [ 2360.884320][T10769] binder: 10767:10769 transaction failed 29189/-3, size 24-8 line 3147 [ 2360.930582][T10768] binder: 10767:10768 Release 1 refcount change on invalid ref 0 ret -22 [ 2361.003822][T10769] binder_alloc: binder_alloc_mmap_handler: 10767 20001000-20004000 already mapped failed -16 [ 2361.051609][T10769] binder_alloc: 10734: binder_alloc_buf, no vma [ 2361.066806][T10773] binder: BINDER_SET_CONTEXT_MGR already set [ 2361.087303][T10769] binder: 10767:10769 transaction failed 29189/-3, size 24-8 line 3147 [ 2361.105171][T10773] binder: 10767:10773 ioctl 40046207 0 returned -16 [ 2361.192327][T10768] binder: 10767:10768 Release 1 refcount change on invalid ref 0 ret -22 17:26:10 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, 0x0) 17:26:10 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x4c000000, 0x0}) [ 2361.305475][T10777] binder: BINDER_SET_CONTEXT_MGR already set [ 2361.340100][T10777] binder: 10776:10777 ioctl 40046207 0 returned -16 [ 2361.362307][T10778] binder_alloc: 10734: binder_alloc_buf, no vma [ 2361.383301][T10778] binder: 10776:10778 transaction failed 29189/-3, size 24-8 line 3147 [ 2361.400908][T10777] binder: 10776:10777 Release 1 refcount change on invalid ref 0 ret -22 [ 2361.417097][T10778] binder_alloc: binder_alloc_mmap_handler: 10776 20001000-20004000 already mapped failed -16 [ 2361.429103][T10777] binder: BINDER_SET_CONTEXT_MGR already set [ 2361.442618][T10778] binder_alloc: 10734: binder_alloc_buf, no vma [ 2361.449057][T10777] binder: 10776:10777 ioctl 40046207 0 returned -16 [ 2361.463114][T10778] binder: 10776:10778 transaction failed 29189/-3, size 24-8 line 3147 [ 2361.619514][T25500] binder_release_work: 14 callbacks suppressed [ 2361.619523][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2361.632074][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2361.638343][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2361.644677][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2361.651010][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2361.657258][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2361.663625][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2361.669952][T25500] binder: send failed reply for transaction 1203 to 10734:10735 [ 2361.677665][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2361.683585][T25500] binder: undelivered TRANSACTION_ERROR: 29189 17:26:11 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, 0x0) 17:26:11 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x20000000, 0x0}) 17:26:11 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:11 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x60000000, 0x0}) 17:26:11 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0xffffffffffffffab, 0x0, 0x0, 0x4, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000200)={0x0}, &(0x7f0000000240)=0x8) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r0, 0x84, 0x22, &(0x7f0000000280)={0x0, 0x8203, 0x5, 0x80000000, r2}, &(0x7f00000002c0)=0x10) r3 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) ioctl$VIDIOC_S_EDID(r0, 0xc0285629, &(0x7f0000000340)={0x0, 0xdcd, 0x3, [], &(0x7f0000000300)=0x80}) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$FS_IOC_SETFSLABEL(r3, 0x41009432, &(0x7f0000000100)="f04fdc09f51a8803eb312e3b911519a85da452d943f7e90f61e353d5395b4f1c456d5d93455f4b4ae9ec04f36119fdf46ec3bf708012ae124df64e980af6942b2625e403a69c11589adf2def103e334a5f9282dc8834843d16d897201fed29427d1ccbcd347a0bfef0c082358dddba09ecb24f7186ea019fe15d2bf3720d2a7ce90acd94a68a93a66f775bbf0dc824ee8223304a3c38ff34f4f7602952fe5849b90f058469715d56b59c82f15836c1fceecc939d32b9f1170ba0d7962f0eaf3d931c23db82233c089ccc738e15811531fdd0f57f4be01e79d7a2f45f7e268fcb0225852500ba9215b4cf8351e678dcbee8846cc5c5d8fbda377e1162ed0a93c6") r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:11 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) getsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r0, 0x84, 0x12, &(0x7f0000000100), &(0x7f0000000140)=0x4) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000180)={'nr0\x00', 0x810}) [ 2362.710529][T10784] binder: 10782:10784 Release 1 refcount change on invalid ref 0 ret -22 [ 2362.736217][T10786] binder: BINDER_SET_CONTEXT_MGR already set [ 2362.746113][T10791] binder_alloc: binder_alloc_mmap_handler: 10782 20001000-20004000 already mapped failed -16 [ 2362.749161][T10787] device sit0 left promiscuous mode [ 2362.763409][T10786] binder: 10785:10786 ioctl 40046207 0 returned -16 17:26:11 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, 0x0) [ 2362.826154][T10786] binder_alloc: 10782: binder_alloc_buf, no vma [ 2362.836706][T10784] binder: BINDER_SET_CONTEXT_MGR already set [ 2362.870317][T10786] binder: 10785:10786 transaction failed 29189/-3, size 24-8 line 3147 [ 2362.891890][T10784] binder: 10782:10784 ioctl 40046207 0 returned -16 [ 2362.892085][T10799] binder_alloc: 10782: binder_alloc_buf, no vma [ 2362.949808][T10801] binder: 10785:10801 Release 1 refcount change on invalid ref 0 ret -22 [ 2362.951468][T10791] binder: 10782:10791 Release 1 refcount change on invalid ref 0 ret -22 [ 2362.962763][T10794] misc userio: Invalid payload size [ 2363.060895][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2363.074163][T25500] binder: release 10782:10784 transaction 1214 out, still active [ 2363.083672][T10799] binder: 10782:10799 transaction failed 29189/-3, size 24-8 line 3147 [ 2363.097888][T25500] binder: unexpected work type, 4, not freed 17:26:11 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) ioctl$KVM_SET_CPUID(r0, 0x4008ae8a, &(0x7f0000000100)={0x3, 0x0, [{0x40000007, 0x0, 0x3, 0x9}, {0x8000000f, 0x4, 0x9, 0xffffffffffffffe0, 0x81}, {0x80000002, 0x5, 0x8, 0x6, 0x7}]}) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$RTC_WIE_ON(r0, 0x700f) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2363.120470][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2363.141945][T25500] binder: undelivered TRANSACTION_ERROR: 29189 17:26:11 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x68000000, 0x0}) 17:26:11 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$RTC_SET_TIME(r2, 0x4024700a, &(0x7f0000001100)={0x31, 0x8, 0x14, 0x1d, 0xd, 0x8, 0x5, 0xc1, 0x1}) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) ioctl$PIO_FONT(r0, 0x4b61, &(0x7f0000000100)="99fa2fc661c202fc29c398252a36b29f6d0a541ca7002db1e0b0a17c335c54b9b58a0cb69547fbde9733a674de8c76c73fea77393613eefb552fc8cf8ff61e806fcb07f5cdf2a3beebcb60958cfaf940781613305b7cc1667bb4b3f4eef1d98dc290d3587c6b78dee45e1ebf619ef7da2248e19ae45dc82d79ad4bb1ea26e6b256014cd3b7e09959379b055b0030c96151d23d0d3547f4255f4023d325c41e1afd5a9b9e584cd282124dee9cc122291089905f54597b8ac9a2e71932c7bce6e6ac0ed67593b12b207d999b629334c3b2ad4bb6a7a86d2118302eeeda4c69f5542cc36dddc35867fbce0e54f8e9211c6d826b0518cbb3a5689d1c67c50fff69363b8d55518ae0ba1a6e265f603e4cdcd38078281ed69ff54c5bbb4675ae5ebbefb546a2753c942a702efc7c6fb0ae6753aa760c4244730104cb498317fbc98d16a89d166aab433e6be55ffd5c75198ac5f0e627c702951692400ffcaad1c4f92e3470773d835ad40a208aba375e604f2f435f13c5b0b22d74ccb0f2bcf11b8f0ee6c31f77caf20c05c096d027340d62ee4f2374dbe839f6ca57089184a7e14f4238f3c79c8b5cd6c02884c649d3e05634cfcddded84d129906a97b9b361991d044707a2c242640e51b6d60ef196f1789bf478adf9a64ec46d9a5629d291ac299cd59970dd2f5a14061cc971672a89bb03d90efb46bd3858408d31fd9c22fb8955bc8915bfb9e355b963f400d2e48fab28131adc188ae26d03d9c7c3799ced0df55aec8f802646727fe85bc4b881f3299a08bdd09f8d1c1ccb6793a03e3fd347e754cfe0a6e9b8a35bad20d871d21fb6241d621c008f9a8b3fe643f7ad26f0ff23c01fad888904914056d93426e183636739898d1e3eb00bb5bbc106ed94b31905ba4f16a90cac91c4a87225d14867e2cff95dfc558bb8ee61358865601e538dd1ba571842cd8cf7e295b79d1d7fa121c7584b2323184dc35175db79b53aac6e18c4a3255958fcaf0def89561a525974404c28a2861f0a9187fe0287f9177da4ce9d414b65d93fa8fc099fb12a035a0e7a6f13a6a62424807347409d972b49a4b95d74ac54938fbb6b8e7bcdbebe4c0b12e61cdd6f3a44acf8a17d27c78eca755836e9906fcab602ea9d752957ae60a0ba41119338ed475fa3aed73610217748565e759a94f7f517ebdabc8b895f5c40c9535ae8ab5a8f20407715e5e8713c56f1b273b4a7e049b4f96546a435f903c47f9ce83e83287e50edfb9c4ee3859c7318addcfec9b268203ab13831b79bfc07c37bc7915a1d0eb15c0e2b8a219ad67e8b6d0fc7a899c923d3c132e5db79a9187eb8e11e1ad7e41e37f192626fe178cf5638cf89a67ded58e3db2f13d8168adcb178d768d60c86707cbde1454736e2685b046ca06c782c10521ecf2abb067a6bf4f1111c349ed00aff049b24590b529c466e37af3202fbe5a8f80e897177817d73863a623025bc202502472f2f58dc51521a88de1fd3499663ceb06ebdb906666ad0e3e336bd8e249d40c648ba04d7fc7654b2eec293024e7c6d1f3e6099dd7a226459bc58cd4f36a51cd859ae85e8b1fc536819a28fb048843577e7ca771d64690c8e8b3f894d4d8ec029c0402306f91f6b2c6865ca9bfe3949c054cfd6af377bd67e7b8be5cf3488cd5276718ae2e35b935c6e7b13c0695e7ce79d5c4051fa9cee890f574324090916b9df0ccc78ccd99e656aa71f6925751126b843f345e009dfc6edc75788a214a4e21ca88b2f9097018e8175839d4a18eee3b28eaf18b261b800c22b24668e45db832f480e944c264b0a54eac195b2a0b7a2b8a3fa2d19f592925ac880c54c5a8472c3c41ee69a4116ac94bb2dd5c90fae58628188cd1d9d7bbc0efe2a64d1946656a9863a5dd503ac1c48bd76668b2e3cf2f04b1512526c89fa5813e7137595bc0bb66aaa3d96d89711ad4fe788bac421ea9718fb90fb981831d754e63ba8ea015c3f7695ec769b539cfd55f58c38eb03ea806ea0c3c13a30ff6556ad2a3eac107fd076461f0595f170137380fdba0f4558dcd5cdcbac36b67b07c80b3301e17362cf0f999742ad0fa330f0a1f71d6f4fbbeed90f90f869c1dce99226705721115f093de0665e8de5dd8fa03078c2544cd69ab8a492f30b5e93e99e8434fa584479044d642ea41f7180a85bf5483a4f78c05ea9f12712050869242ccfe0cda3321a129a1cca8352c41b39d8b5d8a82889974ada4efb9712197f83a0419e5187f1f4a09863f028210a1b28872a3ab7ef649011b001a651c615c851e78d806590c9614bfc9db258c0a3382d5b0eccbc6ea3467d2eec27b11d13f942d30b08aebd0c5019f0f44ce31521f751ab9d7c9e779a701af87dfb57467f37d2bbe4192978b14ba584469d3915ec1fc1f858fba6accc4fe06a53c1416aeeaec9e0c3b6a3d7e79e0661be7fc8009fd01e967854b737585b2d462dfd004e3b9be2ba3eef86de980ffb12e008af63952a42b42d25a9a0e1652fe0ec17e2340c6068756f650090a6c247259b88ee8767cd0ffc5fed93773fe2d5459e5fca92a980d8eb7ffe52510858cc2a22be00b06b72114496f455decaeb5e05dffcd36318b2e3906157ec4d0ba63fd509de9399a19bf4063d8bb6406aa48250b11552e122cc474deeb87f927293d820454dcd9cd169b3127d40201d3382054629b7a7ea53fe00ad205a2640e0670a9c148669c7caa7b46fa8d4185d166fd1a2bd12ea5ed230f57b0f6f1105ce44f7545552ff0363c8f448217047666ba297ba97980ac2104532a80cce9063b882b98aa8ea9ad87b9cfdb0697e7bc4c27eb601f1b918e132762504d2213eb99398d1c233a39954eb39f1d74676da89c9197e9cd5a143e062fa80f0de6cd2b91fb2dc76fff2add4a51fd4e9732a7445e8839814f048bea5036f951a2f60ce06d90ff16fdce10cda35da7179e39d6da20cf731dbbb1a27c18d540537b4ed16663ed3293e6c3d8ab840a852130824ac3823a55fe468fdeaf12c8a39783b38e4fbb96ff1e77e5535c362cb273d952908f852d13dca475852d506f59683f24be45237451c2211ad096c068cd6b585c983b0d82a415997ac9983464d47f60efa5b0951b6073593e634f479fab720b6c75e7595dff4f8fba71914ccb4af82c8870011c7b79e346def59adfb3da04075c83c34a935b1a5b15907add2be6f09b9173b8714dc6eab4ed4cf39d88321c3817199d929ad904ebd8ae9188bbdf5d5f16fef8cd56e9ec43a0fb730ff24f3d8eb85199e09ff1c2f38405d9c826eff97a017025be4efe45694b9485d7521060e6ee797276207551e6ddd3048751894af696a7c06b2080911e46a7dbdecd009325d5d8df7cc6db316564e729619a91ec27909b453fb6bcbfa6c568552bf3b869966ceaf24dd8fb4904749e8de443ab7a73be87b10501efc5f884709be47173a2c784729ae3e954bfc1ee410221ee91c380d72178e5617004b382a453a1e3b548581c53ac6aed406b94be5c756c0c148a6d83659d1096dff3945c844ea7e80c62cc2e9a53393cdfec8eb14daacacfbebc09a9b081d9bb3d1c62c1a20d155862e18ded17451f6e67e2cbd3833a169cdff31329276671d2002e6a1bd8e4ce08006164638d55a2e6c29355d44d2c77531cdffa77ce8d120c289c51ad219d938801f69151bdbc4da9af1d610ac9a7ad49a25d92faca12bbf33c989c106311b8166efda2543f3452030a5dfb3284be0b86dc0e79f2f17ada9a8e3b308042317b5ed9392eced4f9dd6937fbb422afc88c25555b6fa35d58933cffe917254231eb9b5b49b44a98a880882fab779b00997134c4fee198ead688267d4b73aa99d50cb71fd255dbaab3b34b6fb6849231c72c558b48fbd66c0f336a0bb850f81a82921e8fedecfe02eaba246384792989d4be01403b977a73cdc79afef0f75f580e03883b1708a1e4be048dd0d6972c69d671f9c7c3c123adbc508fe1c1112f22cad9c21edb5f990080b471219fd8dbad15a019003cf9e464a9d12cda09625b6f2cd05157142c8e3b09206d2683b1e227feb97a889d88050a3f0a048453fabe0e572fef65da74ac886cbd950828713ab1ebdd9763ce14a15d0c9b3bef4dfef6a584a04ac46ac6cb8cd20acc6d81bf365a0a585b58433a9ee48338cbbe913758b8871a9c963c49e925d379088ee6b6ea29c98364d651d05c1b03c901293de21f76ef5671c7fac4ba6857ad5367d2b06ac3fb6fae933762f110da6a6ffb067bfce75dbae4cf11b5e6d8a9e82ea3002cef85fed64d9903ac64bf17eca9ea6c08f9b57e5621a407b01a1557a72c4ac0ef385189fca55bbbfe3a1ada2f848284593b800bca37322fe014c0089990eb768f7da48ed6ee4c7c6eb52611179464c5fc6d2a450dac8bdc5b8437add6a10958cabff639ec9f0d50cded1014c45d89895563ff3d472c5c067aaf5a199d71e750378de814f40fe288f39c130a3ecdb362344a2f8ff3edf8d82191f6fff36ddf45123c131cd7cd2aced28558aeee3368bf2ee0d3ed825a41e994f85b222ce7e92fac00f055d0ccfa2927140bd1d6b5911af71a0be1efe26288b61f906d06c35f146076dd7266328031fdb63542f22b9e9862f29c3f5a48d7b1f637eaee33a25bbf392bb5638300402eb5033f6bd6e807ca257f11619a31874d5e350d3fa01c4551f7198326a32b2085a09af09d8e1477be6b790d6e311c87a18798edce159f4b17168b02bc5145703e064c240362a5594c7e9a0046ad66cc397a71afe0458b18edef8631d8565dd81356cf420f48c591f0a822ce09c217b61602a2ab2492953410b5bf3a71371ef01d3a186bba998f43087f6a58c1e702eb3212042cd77b505d9c4de16fcf99041af2cc964bc82ccd7731908158f37e2ed1474d1d9e791c04b72aa146ef8d681ae7d9feaf375536b14bd3edaa58104546a77ed5bf70b966dede1255b905d97943a0772a031c2ba8f6115e1b15fb7dcd2a9d470d8a88300f6fbd5ddebcfce49aa29c1250eacb23b9f2439307f1b2d000194c8a17dae6a87455cebea45f38a4d6608367996948c640c94a37716df8e9986b25e54018f29df0e5f728292f647d0cc443ea92a873582e10a5c703fde8cd9120573614dee60c2215a5862bf498d684366a689e39899c8a2fe721d794f49809fa55982d6c26f92b8386812909acbabf1dc3b4401d8ccab925198d5c45bb04a8694ee0320a21055b84f5c27623e92fa0338f49f74825447be02649f978266d7c14d06676f4441279261631e196cb35927b8faf246d2252d6958e0c8e908436b9b421627948c8c4d71e018361d5cf4c2027cfab0ae8b9af772a41125c753909b7722bd21921030f89783b338a2e32c33ae7e96fcc56297663782edc3ea2aa8f4edc8c211aac1cf81b9311ef93f857839d0a32739e13bccd6e0570c5d8b031188738f9397729d64f99afedbaae4ed05f1c18ad13ab755be4c98f7e5a2ab56ebeb5e4864a228d96b6fa89dfdef2c9616bddd15f1c39444acce439dfdaf54d6623081b73b8ad9b6929a8df81ee3b6abb97b32a7006232e09a51da341f1fa3677ddd746cf5b5d3ddba269f43c30186ef21c4a2897553c560d83aaa4d1746c766a96967c6d09cb97286acf94ce05c03b407cbb54382735c8f38cd81b16ce64bfa08d4d48918251df81c4f80ab633cbb901bb45a9d15b7ad4f362441a2680edba97a65f0b69e1af37c0350fc4c69ef3bc44d20dd274e86854f92fdcf0b9dbb4e321a0f21c3f367d6acf457b2a92c0231e2002aa36a67ad0420143b95776ff89fc189cc") [ 2363.170671][T25500] binder: send failed reply for transaction 1214, target dead 17:26:12 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) mkdir(&(0x7f0000000100)='./file0\x00', 0x2a) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2363.331509][T10810] binder: 10809:10810 Release 1 refcount change on invalid ref 0 ret -22 [ 2363.372384][T10812] binder_alloc: binder_alloc_mmap_handler: 10809 20001000-20004000 already mapped failed -16 [ 2363.427635][T10810] binder: BINDER_SET_CONTEXT_MGR already set [ 2363.462663][T10810] binder: 10809:10810 ioctl 40046207 0 returned -16 [ 2363.504965][T10816] binder_alloc: 10809: binder_alloc_buf, no vma [ 2363.544945][T10812] binder: 10809:10812 Release 1 refcount change on invalid ref 0 ret -22 [ 2363.594086][T10816] binder: 10809:10816 transaction failed 29189/-3, size 24-8 line 3147 [ 2363.613734][T23288] binder: send failed reply for transaction 1220 to 10809:10810 17:26:12 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00'}) 17:26:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x6c000000, 0x0}) [ 2363.656584][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2363.663738][T10795] device sit0 entered promiscuous mode 17:26:12 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2363.781088][T10824] binder_alloc: binder_alloc_mmap_handler: 10821 20001000-20004000 already mapped failed -16 17:26:12 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00'}) 17:26:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x74000000, 0x0}) [ 2363.909311][T10828] misc userio: Invalid payload size [ 2363.970623][T10832] binder: BINDER_SET_CONTEXT_MGR already set [ 2363.995787][T10832] binder: 10831:10832 ioctl 40046207 0 returned -16 [ 2364.037298][T10834] binder_alloc: binder_alloc_mmap_handler: 10831 20001000-20004000 already mapped failed -16 [ 2364.068965][T10834] binder: BINDER_SET_CONTEXT_MGR already set [ 2364.085079][T10834] binder: 10831:10834 ioctl 40046207 0 returned -16 17:26:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x7a000000, 0x0}) [ 2364.189048][T10837] binder: BINDER_SET_CONTEXT_MGR already set [ 2364.202054][T10837] binder: 10836:10837 ioctl 40046207 0 returned -16 [ 2364.220274][T10838] binder_alloc: binder_alloc_mmap_handler: 10836 20001000-20004000 already mapped failed -16 [ 2364.240199][T10837] binder: BINDER_SET_CONTEXT_MGR already set [ 2364.248987][T10837] binder: 10836:10837 ioctl 40046207 0 returned -16 17:26:13 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0xfdfdffff, 0x0}) [ 2364.355692][T10841] binder: BINDER_SET_CONTEXT_MGR already set [ 2364.368750][T10841] binder: 10840:10841 ioctl 40046207 0 returned -16 [ 2364.387863][T10842] binder_alloc: binder_alloc_mmap_handler: 10840 20001000-20004000 already mapped failed -16 [ 2364.432777][T10841] binder: BINDER_SET_CONTEXT_MGR already set [ 2364.446874][T10841] binder: 10840:10841 ioctl 40046207 0 returned -16 17:26:13 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0xfffffdfd, 0x0}) [ 2364.525221][T10845] binder: BINDER_SET_CONTEXT_MGR already set [ 2364.541611][T10845] binder: 10844:10845 ioctl 40046207 0 returned -16 [ 2364.564163][T10845] binder: BINDER_SET_CONTEXT_MGR already set [ 2364.580307][T10845] binder: 10844:10845 ioctl 40046207 0 returned -16 17:26:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) ioctl$KVM_SET_CPUID(r0, 0x4008ae8a, &(0x7f0000000100)={0x3, 0x0, [{0x40000007, 0x0, 0x3, 0x9}, {0x8000000f, 0x4, 0x9, 0xffffffffffffffe0, 0x81}, {0x80000002, 0x5, 0x8, 0x6, 0x7}]}) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$RTC_WIE_ON(r0, 0x700f) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2365.877123][T25500] binder: send failed reply for transaction 1225 to 10821:10822 [ 2365.885101][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2365.891659][T10827] device sit0 left promiscuous mode 17:26:14 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x100000000000000, 0x0}) 17:26:14 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000100)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2365.987142][T10848] binder_thread_write: 5 callbacks suppressed [ 2365.987158][T10848] binder: 10847:10848 Release 1 refcount change on invalid ref 0 ret -22 17:26:14 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000200)='/dev/dlm-monitor\x00', 0x800, 0x0) write$capi20(r0, &(0x7f0000000240)={0x10, 0x7ff, 0xff, 0x81, 0x7fffffff, 0x3}, 0x10) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) syz_extract_tcp_res$synack(&(0x7f00000001c0), 0x1, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r4 = shmget$private(0x0, 0x1000, 0x100, &(0x7f0000ca0000/0x1000)=nil) shmctl$SHM_STAT(r4, 0xd, &(0x7f0000000100)=""/176) ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2366.131698][T10855] binder_alloc_mmap_handler: 1 callbacks suppressed [ 2366.131717][T10855] binder_alloc: binder_alloc_mmap_handler: 10847 20001000-20004000 already mapped failed -16 [ 2366.185165][T10848] binder: BINDER_SET_CONTEXT_MGR already set [ 2366.227109][T10848] binder: 10847:10848 ioctl 40046207 0 returned -16 [ 2366.237076][T23288] binder: send failed reply for transaction 1238 to 10847:10848 [ 2366.255554][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2366.257689][T10857] binder_transaction: 9 callbacks suppressed [ 2366.257708][T10857] binder: 10847:10857 transaction failed 29189/-22, size 24-8 line 2994 [ 2366.356059][T10828] device sit0 entered promiscuous mode 17:26:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x200000000000000, 0x0}) 17:26:15 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00'}) 17:26:15 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r1 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r1, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2366.561476][T10864] binder: 10863:10864 Release 1 refcount change on invalid ref 0 ret -22 [ 2366.620455][T10869] binder_alloc: binder_alloc_mmap_handler: 10863 20001000-20004000 already mapped failed -16 [ 2366.642969][T10864] binder: BINDER_SET_CONTEXT_MGR already set [ 2366.651235][T10868] device sit0 left promiscuous mode 17:26:15 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2366.672629][T10864] binder: 10863:10864 ioctl 40046207 0 returned -16 [ 2366.697136][T10869] binder_alloc_new_buf_locked: 9 callbacks suppressed [ 2366.697147][T10869] binder_alloc: 10863: binder_alloc_buf, no vma [ 2366.753638][T10869] binder: 10863:10869 transaction failed 29189/-3, size 24-8 line 3147 [ 2366.784925][T10872] misc userio: Invalid payload size 17:26:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x300000000000000, 0x0}) 17:26:15 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2366.900966][T10875] binder: BINDER_SET_CONTEXT_MGR already set [ 2366.921739][T10875] binder: 10874:10875 ioctl 40046207 0 returned -16 [ 2366.948876][T10878] binder_alloc: 10863: binder_alloc_buf, no vma [ 2366.970940][T10878] binder: 10874:10878 transaction failed 29189/-3, size 24-8 line 3147 [ 2367.004160][T10875] binder: 10874:10875 Release 1 refcount change on invalid ref 0 ret -22 [ 2367.033226][T10878] binder_alloc: binder_alloc_mmap_handler: 10874 20001000-20004000 already mapped failed -16 [ 2367.080611][T10875] binder: BINDER_SET_CONTEXT_MGR already set [ 2367.104101][T10872] device sit0 entered promiscuous mode [ 2367.124475][T10875] binder: 10874:10875 ioctl 40046207 0 returned -16 17:26:16 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2367.170425][T10878] binder_alloc: 10863: binder_alloc_buf, no vma [ 2367.205480][T10878] binder: 10874:10878 transaction failed 29189/-3, size 24-8 line 3147 17:26:16 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x400000000000000, 0x0}) [ 2367.365132][T10884] binder: BINDER_SET_CONTEXT_MGR already set [ 2367.400599][T10884] binder: 10883:10884 ioctl 40046207 0 returned -16 [ 2367.439496][T10885] binder_alloc: 10863: binder_alloc_buf, no vma [ 2367.476352][T10885] binder: 10883:10885 transaction failed 29189/-3, size 24-8 line 3147 [ 2367.519573][T10884] binder: 10883:10884 Release 1 refcount change on invalid ref 0 ret -22 [ 2367.569094][T10885] binder_alloc: binder_alloc_mmap_handler: 10883 20001000-20004000 already mapped failed -16 [ 2367.635238][T10884] binder_alloc: 10863: binder_alloc_buf, no vma [ 2367.635973][T10887] binder: BINDER_SET_CONTEXT_MGR already set [ 2367.657419][T10884] binder: 10883:10884 transaction failed 29189/-3, size 24-8 line 3147 [ 2367.672967][T10887] binder: 10883:10887 ioctl 40046207 0 returned -16 [ 2368.850446][T25500] binder_release_work: 13 callbacks suppressed [ 2368.850455][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2368.863516][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2368.870285][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2368.876649][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2368.883459][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2368.890229][T25500] binder: send failed reply for transaction 1243 to 10863:10864 [ 2368.898086][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2368.904483][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2368.911228][T25500] binder: undelivered TRANSACTION_ERROR: 29189 17:26:17 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(0xffffffffffffffff, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:17 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x20000000000000, 0x0, 0xa0008000) 17:26:17 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="05630440"], 0x0, 0x0, 0x0}) 17:26:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x500000000000000, 0x0}) 17:26:17 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c837, r1, 0x0) r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:17 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) openat$audio(0xffffffffffffff9c, &(0x7f0000000100)='/dev/audio\x00', 0x200, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2369.090292][T25500] binder: release 10890:10891 transaction 1252 out, still active [ 2369.098060][T25500] binder: unexpected work type, 4, not freed 17:26:17 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="05630440"], 0x0, 0x0, 0x0}) [ 2369.142305][T10894] binder: BINDER_SET_CONTEXT_MGR already set [ 2369.160480][T25500] binder: undelivered TRANSACTION_COMPLETE [ 2369.175362][T10894] binder: 10893:10894 ioctl 40046207 0 returned -16 [ 2369.200240][T25500] binder: send failed reply for transaction 1252, target dead [ 2369.208462][T10897] device sit0 left promiscuous mode [ 2369.231024][T10902] binder: 10893:10902 transaction failed 29189/-22, size 24-8 line 2994 [ 2369.280194][T10894] binder: 10893:10894 Release 1 refcount change on invalid ref 0 ret -22 [ 2369.306027][T23288] binder: release 10904:10905 transaction 1258 out, still active [ 2369.326748][T10902] binder_alloc: binder_alloc_mmap_handler: 10893 20001000-20004000 already mapped failed -16 [ 2369.335357][T23288] binder: unexpected work type, 4, not freed 17:26:18 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="05630440"], 0x0, 0x0, 0x0}) [ 2369.383357][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2369.420815][T23288] binder: release 10893:10894 transaction 1262 out, still active 17:26:18 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x940000000000, 0x0, 0xa0008000) [ 2369.453945][T23288] binder: unexpected work type, 4, not freed 17:26:18 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x600000000000000, 0x0}) [ 2369.497340][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2369.516582][T10911] binder: BINDER_SET_CONTEXT_MGR already set [ 2369.565806][T10911] binder: 10910:10911 ioctl 40046207 0 returned -16 [ 2369.572672][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2369.582478][T23288] binder: send failed reply for transaction 1258, target dead [ 2369.604529][T10911] binder: 10910:10911 transaction failed 29189/-22, size 24-8 line 2994 [ 2369.622734][T10915] binder: 10913:10915 Release 1 refcount change on invalid ref 0 ret -22 [ 2369.640987][T23288] binder: send failed reply for transaction 1262, target dead 17:26:18 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2369.672440][T10919] binder_alloc: binder_alloc_mmap_handler: 10913 20001000-20004000 already mapped failed -16 [ 2369.692731][T25500] binder: undelivered TRANSACTION_ERROR: 29189 17:26:18 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="04630440"], 0x0, 0x0, 0x0}) [ 2369.735185][T10915] binder: BINDER_SET_CONTEXT_MGR already set [ 2369.783602][T10915] binder: 10913:10915 ioctl 40046207 0 returned -16 [ 2369.800027][T10922] binder_alloc: 10913: binder_alloc_buf, no vma [ 2369.814439][T10922] binder: 10913:10922 transaction failed 29189/-3, size 24-8 line 3147 [ 2369.854735][T10906] device sit0 entered promiscuous mode [ 2369.864486][T10924] binder: BINDER_SET_CONTEXT_MGR already set [ 2369.915151][T10924] binder: 10923:10924 ioctl 40046207 0 returned -16 [ 2369.915317][T10926] binder_alloc: 10913: binder_alloc_buf, no vma [ 2369.971665][T10926] binder: 10923:10926 transaction failed 29189/-3, size 24-8 line 3147 17:26:18 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(0xffffffffffffffff, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:18 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, &(0x7f0000000200)={&(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=[0x0, 0x0], &(0x7f0000000180)=[0x0, 0x0, 0x0], &(0x7f00000001c0)=[0x0, 0x0, 0x0, 0x0], 0x4, 0x2, 0x3, 0x4}) 17:26:18 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) openat$audio(0xffffffffffffff9c, &(0x7f0000000100)='/dev/audio\x00', 0x200, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:18 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x700000000000000, 0x0}) 17:26:18 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$inet_icmp_raw(0x2, 0x3, 0x1) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000700)={'vxcan1\x00', 0x0}) setsockopt$inet_mreqn(r1, 0x0, 0x23, &(0x7f0000000740)={@local, @rand_addr=0x1, r2}, 0xc) r3 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r5 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r6 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) fcntl$setsig(r0, 0xa, 0x2c) ioctl$TCGETS(r3, 0x5401, &(0x7f0000000040)) r7 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$VIDIOC_ENUMSTD(r3, 0xc0485619, &(0x7f00000006c0)={0x8001, 0x20000, "a5b545866c7fc9f3fad87da140532ebd384760cec66fb968", {0x8, 0x1ff}, 0x12000}) ioctl$SNDRV_TIMER_IOCTL_GSTATUS(r5, 0xc0505405, &(0x7f0000000100)={{0xffffffffffffffff, 0x1, 0x0, 0x0, 0x2}, 0xe9, 0x80, 0x10000}) socket$inet6_udp(0xa, 0x2, 0x0) syz_kvm_setup_cpu$x86(r6, r8, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) getsockopt$inet_IP_XFRM_POLICY(r6, 0x0, 0x11, &(0x7f00000004c0)={{{@in6=@initdev, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@dev}}, &(0x7f00000005c0)=0xe8) syz_mount_image$btrfs(&(0x7f0000000180)='btrfs\x00', &(0x7f00000001c0)='./file0\x00', 0x2, 0x3, &(0x7f0000000440)=[{&(0x7f0000000200)="adaaad15aaf55879f9bc778f7a45dab3deaab31da1ad889b249365c3195480da85636aa7acbb8d7076967fcbfdaa3628d19aa9792d438a94cb432ed3738587feef40d55a9e866daf0f8d9d9de911ca537a87cedb9f854dc95d09d123ee37d6a2210a11a8d71aefeba8752469f1018c4a3187f34eb07e225306b579f2f2e9b8457e593eb39721cf32d0ecc91e5e4bc86dff24bfd4a3862279699a4eef933ff853626beafddef77420a24d5add08e57a5dcadf70012d890351a85560e281b84b001509b87c465a0d3434e08da2b7817029e983ee7d2552b0", 0xd7, 0xfff}, {&(0x7f0000000300)="da0b9d4cf1c90024eb71f59daccded006db824e3f91d617475bbb7d9b92af45880a75aa29241e53f15312643dd9e87bb72eda162e599e77110f5cd18b291501c197d8064945eb502eacf292520238347ac28f11a4d2a474c89872adf6b251d0833f0e50e56cd54b5037c5e9fedd9be75ab132bc076fbc81523af9063bd4b95e000f4e0c7ebf988ae5094833e5442ab22b4d35b8a063a86b93123ef929c1b39d42a1be8177857932eadb544cd3cc9c66e2ab7a018342a0a3a679b3ee684f7fba61cc8606f57a09cab37356ea5e73b1465", 0xd0, 0x6b93}, {&(0x7f0000000400)="6fa9d00b608a64e00b41e23ba35d40", 0xf, 0xd4}], 0x40, &(0x7f0000000600)={[{@noautodefrag='noautodefrag'}, {@subvolid={'subvolid', 0x3d, 0xfffffffffffffffb}}, {@compress='compress'}, {@subvolid={'subvolid', 0x3d, 0x8}}], [{@euid_gt={'euid>', r9}}, {@fsmagic={'fsmagic', 0x3d, 0x7}}]}) 17:26:18 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB='\rc\x00\x00'], 0x0, 0x0, 0x0}) [ 2370.158799][T10932] binder: BINDER_SET_CONTEXT_MGR already set [ 2370.199942][T10932] binder: 10931:10932 ioctl 40046207 0 returned -16 [ 2370.272518][T10939] device sit0 left promiscuous mode [ 2370.278305][T10941] binder_alloc: 10913: binder_alloc_buf, no vma [ 2370.290886][T10940] binder: BINDER_SET_CONTEXT_MGR already set [ 2370.320167][T10932] binder: 10931:10932 Release 1 refcount change on invalid ref 0 ret -22 [ 2370.355065][T10940] binder: 10937:10940 ioctl 40046207 0 returned -16 [ 2370.379422][T10945] binder_alloc: 10913: binder_alloc_buf, no vma [ 2370.392070][T10941] binder_alloc: binder_alloc_mmap_handler: 10931 20001000-20004000 already mapped failed -16 17:26:19 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:19 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) openat$audio(0xffffffffffffff9c, &(0x7f0000000100)='/dev/audio\x00', 0x200, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2370.626568][T10952] binder: BINDER_SET_CONTEXT_MGR already set [ 2370.654799][T10952] binder: 10931:10952 ioctl 40046207 0 returned -16 [ 2370.729422][T10941] binder_alloc: 10913: binder_alloc_buf, no vma [ 2370.825684][T10955] misc userio: Invalid payload size 17:26:19 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0xa00000000000000, 0x0}) 17:26:19 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) openat$audio(0xffffffffffffff9c, &(0x7f0000000100)='/dev/audio\x00', 0x200, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2370.956385][T10947] device sit0 entered promiscuous mode [ 2370.980797][T10958] binder: BINDER_SET_CONTEXT_MGR already set [ 2371.023768][T10958] binder: 10957:10958 ioctl 40046207 0 returned -16 [ 2371.088663][T10962] binder: 10957:10962 Release 1 refcount change on invalid ref 0 ret -22 [ 2371.159726][T10961] binder_alloc: binder_alloc_mmap_handler: 10957 20001000-20004000 already mapped failed -16 17:26:20 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:20 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(0xffffffffffffffff, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2371.242398][T10962] binder: BINDER_SET_CONTEXT_MGR already set [ 2371.294250][T10962] binder: 10957:10962 ioctl 40046207 0 returned -16 17:26:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x2000000000000000, 0x0}) [ 2371.424743][T10972] binder: BINDER_SET_CONTEXT_MGR already set [ 2371.458582][T10972] binder: 10971:10972 ioctl 40046207 0 returned -16 [ 2371.503103][T10973] binder_transaction: 4 callbacks suppressed [ 2371.503124][T10973] binder: 10971:10973 transaction failed 29189/-3, size 24-8 line 3147 [ 2371.549433][T10972] binder: 10971:10972 Release 1 refcount change on invalid ref 0 ret -22 [ 2371.597651][T10951] device sit0 left promiscuous mode [ 2371.626633][T10973] binder_alloc: binder_alloc_mmap_handler: 10971 20001000-20004000 already mapped failed -16 [ 2371.651355][T10973] binder: BINDER_SET_CONTEXT_MGR already set [ 2371.663176][T10973] binder: 10971:10973 ioctl 40046207 0 returned -16 [ 2371.678570][T10974] binder: 10971:10974 transaction failed 29189/-3, size 24-8 line 3147 [ 2371.834049][T10955] device sit0 entered promiscuous mode [ 2372.720460][T10967] device sit0 left promiscuous mode [ 2372.984104][T10969] device sit0 entered promiscuous mode [ 2373.166269][T25500] binder: undelivered TRANSACTION_ERROR: 29189 [ 2373.173977][T25500] binder: send failed reply for transaction 1267 to 10913:10915 [ 2373.181903][T25500] binder: undelivered TRANSACTION_COMPLETE 17:26:23 executing program 0: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x2, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f0000000100)=0xfff) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:23 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:23 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x3f00000000000000, 0x0}) 17:26:23 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) getsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0xa, 0x0, &(0x7f0000000140)) syz_genetlink_get_family_id$tipc(0x0) sendmsg$TIPC_CMD_GET_NETID(0xffffffffffffffff, 0x0, 0x0) 17:26:23 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$DRM_IOCTL_MAP_BUFS(r3, 0xc0186419, &(0x7f0000000700)={0x5, &(0x7f0000000200)=""/228, &(0x7f0000000680)=[{0x9, 0xd1, 0xff, &(0x7f0000000300)=""/209}, {0x8000, 0xdd, 0x1, &(0x7f0000000400)=""/221}, {0x5, 0x3e, 0x4, &(0x7f0000000500)=""/62}, {0x0, 0xf7, 0xff, &(0x7f0000000540)=""/247}, {0x7fff, 0x17, 0x8, &(0x7f0000000640)=""/23}]}) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$DRM_IOCTL_GEM_FLINK(r2, 0xc008640a, &(0x7f0000000100)={0x0, 0x0}) ioctl$VIDIOC_LOG_STATUS(r2, 0x5646, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000140)={0x0, 0x0, 0x8ad}) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000180)={r4, r5, 0x3ff}) r6 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000740)=0x0) getpgrp(r8) syz_kvm_setup_cpu$x86(r3, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$KVM_GET_REG_LIST(r3, 0xc008aeb0, &(0x7f00000001c0)={0x5, [0x3, 0x731, 0xe11, 0x5, 0x9]}) unlinkat(r2, &(0x7f0000000780)='./file0\x00', 0x200) [ 2374.889591][T10977] device sit0 left promiscuous mode [ 2374.946949][T10987] binder: 10980:10987 Release 1 refcount change on invalid ref 0 ret -22 [ 2375.041976][T10992] binder_alloc: binder_alloc_mmap_handler: 10980 20001000-20004000 already mapped failed -16 [ 2375.083008][T10994] misc userio: Invalid payload size [ 2375.101590][T10992] binder_alloc_new_buf_locked: 3 callbacks suppressed [ 2375.101598][T10992] binder_alloc: 10980: binder_alloc_buf, no vma [ 2375.126359][T10992] binder: 10980:10992 transaction failed 29189/-3, size 24-8 line 3147 17:26:23 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:24 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) getsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0xa, 0x0, &(0x7f0000000140)) syz_genetlink_get_family_id$tipc(0x0) sendmsg$TIPC_CMD_GET_NETID(0xffffffffffffffff, 0x0, 0x0) [ 2375.183465][T10987] binder: 10980:10987 Release 1 refcount change on invalid ref 0 ret -22 [ 2375.210856][T23288] binder: release 10980:10987 transaction 1281 out, still active 17:26:24 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) mmap(&(0x7f000076e000/0x3000)=nil, 0x3000, 0x8000000100, 0x1000013, r0, 0xfffffffffffffff7) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x210002, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) getsockopt$inet_sctp6_SCTP_MAXSEG(r3, 0x84, 0xd, &(0x7f0000000100)=@assoc_value={0x0, 0x33}, &(0x7f0000000140)=0x8) ioctl$VT_OPENQRY(r3, 0x5600, &(0x7f0000000240)) getsockopt$inet_sctp_SCTP_ASSOCINFO(r0, 0x84, 0x1, &(0x7f0000000180)={r4, 0x0, 0x1f, 0x1000, 0x2, 0x7}, &(0x7f00000001c0)=0x14) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) setsockopt$inet_sctp6_SCTP_I_WANT_MAPPED_V4_ADDR(r2, 0x84, 0xc, &(0x7f0000000200)=0x3, 0x4) syz_open_dev$rtc(&(0x7f0000000280)='/dev/rtc#\x00', 0x100000001, 0x4000) [ 2375.246311][T23288] binder: unexpected work type, 4, not freed [ 2375.296596][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2375.336373][T23288] binder_release_work: 8 callbacks suppressed 17:26:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x4800000000000000, 0x0}) [ 2375.336380][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2375.384129][T23288] binder: send failed reply for transaction 1281, target dead [ 2375.419623][T11007] binder: 11006:11007 Release 1 refcount change on invalid ref 0 ret -22 17:26:24 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) getsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0xa, 0x0, &(0x7f0000000140)) syz_genetlink_get_family_id$tipc(0x0) sendmsg$TIPC_CMD_GET_NETID(0xffffffffffffffff, 0x0, 0x0) [ 2375.510222][T11011] binder_alloc: binder_alloc_mmap_handler: 11006 20001000-20004000 already mapped failed -16 17:26:24 executing program 2: r0 = socket$inet(0x2b, 0x1, 0x0) bind$inet(r0, &(0x7f0000000600)={0x2, 0x4e23, @multicast2}, 0x10) connect$inet(r0, &(0x7f00000001c0)={0x2, 0x4e23, @loopback}, 0xfffffe24) setsockopt$inet_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f00000003c0)='tls\x00', 0x1b5) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt(0xffffffffffffffff, 0x65, 0x10000000002, 0x0, 0x0) r1 = syz_open_dev$usbmon(&(0x7f00000001c0)='/dev/usbmon#\x00', 0x6, 0x4000) getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(0xffffffffffffff9c, 0x84, 0x7b, &(0x7f0000000340)={0x0, 0x1f}, &(0x7f00000004c0)=0x8) getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r1, 0x84, 0x73, &(0x7f0000000500)={r2, 0x4, 0x0, 0x5, 0x8a}, &(0x7f0000000540)=0x18) setsockopt$inet_sctp6_SCTP_ADD_STREAMS(0xffffffffffffffff, 0x84, 0x79, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f0000000580)={r3, @in6={{0xa, 0x4e23, 0x8, @remote, 0x6}}, 0x0, 0x4, 0x8, 0xf0, 0x80}, 0x98) ioctl$CAPI_NCCI_OPENCOUNT(0xffffffffffffffff, 0x80044326, &(0x7f0000000380)=0x66) setsockopt$ARPT_SO_SET_ADD_COUNTERS(r1, 0x0, 0x61, &(0x7f0000000640)={'filter\x00', 0x4}, 0x68) rt_sigaction(0x2c, &(0x7f0000000180)={&(0x7f0000000100)="c4c27d30e1c48119769292c60000fa430fae5663c46250f7bd69000000c4e17b116023c4e1ad599d00b00000c40271bd6503660fe3a100000000c421515fce", {0x40000000001}, 0x88000000, 0x0}, &(0x7f0000000140)={&(0x7f0000000700)="8f89889757e2c483397871c0c36440d25870f30f5e9baa2a00000000223d28144cc46165f2df2e660f7c4600c4e1a1fd2c3cc4e3f916fd0344802900", {}, 0x0, &(0x7f00000006c0)="8f2938015af0c483790869500cc443c9480a008fea5012cd00e00000400face00566440fd2bb2a406152460f34f2400f1bf6c48291ddffc44135f36143"}, 0xffffffffffffffc9, &(0x7f00000002c0)) prctl$PR_GET_SECCOMP(0x15) r4 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0xfffffffffffffffe) fcntl$F_SET_RW_HINT(0xffffffffffffffff, 0x40c, 0x0) ioctl$FS_IOC_GETFSLABEL(r4, 0x81009431, &(0x7f00000003c0)) r5 = semget$private(0x0, 0x3, 0x0) semctl$GETNCNT(r5, 0x3, 0xe, &(0x7f0000000240)=""/24) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, &(0x7f0000000280)) ioctl$KVM_IRQ_LINE_STATUS(r4, 0xc008ae67, &(0x7f00000000c0)={0x5, 0x2}) shmget(0x0, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil) ioctl$KVM_X86_GET_MCE_CAP_SUPPORTED(0xffffffffffffffff, 0x8008ae9d, &(0x7f0000000000)=""/132) setsockopt$inet6_tcp_TLS_TX(r4, 0x6, 0x1, &(0x7f0000000200), 0x4) write$P9_RLERRORu(r4, &(0x7f0000000300)={0x11, 0x7, 0x2, {{0x4, 'tls\x00'}, 0x7}}, 0x11) unshare(0x40000000) setsockopt$inet_mreqsrc(r0, 0x11a, 0x2, 0x0, 0x0) 17:26:24 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r1, 0x84, 0x1f, &(0x7f0000000100)={0x0, @in={{0x2, 0x4e20, @remote}}, 0x5, 0xe7a}, &(0x7f00000001c0)=0x90) setsockopt$inet_sctp_SCTP_ENABLE_STREAM_RESET(r0, 0x84, 0x76, &(0x7f0000000200)={r2, 0x1}, 0x8) openat$cgroup_procs(r0, &(0x7f0000001780)='cgroup.threads\x00', 0x2, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) set_mempolicy(0x4002, &(0x7f0000001740)=0xfffffffffffffffc, 0x7) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$KVM_ASSIGN_SET_MSIX_NR(r1, 0x4008ae73, &(0x7f00000017c0)={0x100, 0x3f}) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) preadv(r1, &(0x7f00000016c0)=[{&(0x7f0000000240)=""/4096, 0x1000}, {&(0x7f0000001240)=""/238, 0xee}, {&(0x7f0000001340)=""/136, 0x88}, {&(0x7f0000001400)=""/175, 0xaf}, {&(0x7f00000014c0)=""/248, 0xf8}, {&(0x7f00000015c0)=""/16, 0x10}, {&(0x7f0000001600)=""/171, 0xab}], 0x7, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2375.555725][T11007] binder: BINDER_SET_CONTEXT_MGR already set [ 2375.655868][T11007] binder: 11006:11007 ioctl 40046207 0 returned -16 [ 2375.655989][T11016] binder_alloc: 11006: binder_alloc_buf, no vma [ 2375.770488][T11007] binder: 11006:11007 Release 1 refcount change on invalid ref 0 ret -22 [ 2375.774986][T23288] binder: release 11006:11007 transaction 1286 out, still active [ 2375.800386][T23288] binder: unexpected work type, 4, not freed 17:26:24 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000100)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2375.829497][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2375.850125][T11016] binder: 11006:11016 transaction failed 29189/-3, size 24-8 line 3147 [ 2375.868070][T23288] binder: send failed reply for transaction 1286, target dead [ 2375.883443][T10998] device sit0 entered promiscuous mode 17:26:24 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:24 executing program 1: r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='children\x00') read$alg(r0, 0x0, 0x0) 17:26:24 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r3 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) getsockopt$inet_sctp6_SCTP_LOCAL_AUTH_CHUNKS(r1, 0x84, 0x1b, &(0x7f0000000140)={0x0, 0xde, "278b4546eb25437c645810dbbcf08be59131be3a7ae664f328c196328ca541d5e177ffeb6ac63b09427d59cbf3b17657ae298a980863118e7101ba017b9026049029956fe7d6db82bcb967b185d3f8498619a3bbf089804c5fb5791aeee6f02dd37d05bf8156f733669ed05dc885dfc722e9b5f313b06d97fb3e3de286480544c9a5983c7900e173b670b6f5e9c88b32f00b3e27ad5b5546a10e8c5f59563d82ef7c1c10418e7d94320b1ea3fe04da02d567fb21e0865d80ed132a51b402be40d99e4ea1ed1c48df89626bd290fe39cef71307ef2335686f6f403fe3cb7d"}, &(0x7f0000000240)=0xe6) setsockopt$inet_sctp6_SCTP_MAXSEG(r0, 0x84, 0xd, &(0x7f0000000300)=@assoc_value={r6, 0xe40}, 0x8) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r4, 0x84, 0x72, &(0x7f0000000280)={r6, 0x401, 0x30}, &(0x7f00000002c0)=0xc) setsockopt$packet_int(r3, 0x107, 0xa, &(0x7f0000000100)=0xffff, 0x4) r7 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r4, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x4c00000000000000, 0x0}) [ 2376.106764][T11031] binder: 11029:11031 Release 1 refcount change on invalid ref 0 ret -22 [ 2376.172567][T11035] binder_alloc: binder_alloc_mmap_handler: 11029 20001000-20004000 already mapped failed -16 17:26:25 executing program 1: socket$inet_udplite(0x2, 0x2, 0x88) r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f0000000040)=0x74, 0x4) bind$inet(r0, &(0x7f0000000180)={0x2, 0x4e23, @multicast1}, 0x10) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000b86000)={0x1, &(0x7f0000f40ff8)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000000680)={0x2, 0x4e23, @local}, 0x10) setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000080)=0xda9, 0x4) r1 = fcntl$dupfd(r0, 0x0, r0) write$binfmt_aout(r1, &(0x7f00000006c0)=ANY=[@ANYBLOB="0000330b587fb2cd110f000074a9ba057ef500000000001cece52ee54d8000000000000000e343fbe4938568af312b57f2ab113e17240a787fd89917eaa61d54c173b5725d2d8ca1e088bc0360812c95bcd3db11554e7ade33dc2fc2037320329a39cccce940fca93ed25f0db115599cd64db9071f7146d7546a0628a934d79e066b57b83fd8cb8acf45dbd68d630ef246ebcfbbb96dfe77794e19d9b041716cbe77ae8f31a741f02e127f4f5e245aec6a04557df9b0be5512b68ef7100c5d0e79141b681d22700a73a138499ec45e2a097156497c3944806bfb861f22b26a32e3fb6f1a31667b812eaf90d8cc8a05e07e2bcf1bbf5a994652ccde8546365a6b025b72cf613e495ebf7e6a758e81ee8407fa29b51b655b9ce45e4f1f6baaf2e48f7c340ae26e9987820d7681cdd34e6a132124885732fc5aef81cd74ce11188a77561e94421768345b4b36b6744146f73c54c1ae15f0165527f749d3c756b374929377c8f33bd75f0517b9b1c4dedb4dc162042956386a866c1aa39105c9b4e6a94c8cd19779f2dceb2f748d11cda977918867"], 0x193) write$RDMA_USER_CM_CMD_CREATE_ID(r1, &(0x7f0000000480)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000440), 0x0, 0x0, [0x9c00]}}, 0xfef5) ioctl(0xffffffffffffffff, 0x1000008912, 0x0) [ 2376.189815][T11015] IPVS: ftp: loaded support on port[0] = 21 [ 2376.257852][T11036] misc userio: Invalid payload size [ 2376.266044][T11031] binder: BINDER_SET_CONTEXT_MGR already set [ 2376.305056][T11031] binder: 11029:11031 ioctl 40046207 0 returned -16 [ 2376.305143][T11039] binder_alloc: 11029: binder_alloc_buf, no vma [ 2376.375503][T11039] binder: 11029:11039 transaction failed 29189/-3, size 24-8 line 3147 17:26:25 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:25 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x6000000000000000, 0x0}) [ 2376.522494][T11042] IPVS: ftp: loaded support on port[0] = 21 [ 2376.662108][T11049] binder: BINDER_SET_CONTEXT_MGR already set [ 2376.692493][T11049] binder: 11048:11049 ioctl 40046207 0 returned -16 17:26:25 executing program 4: r0 = syz_open_dev$mice(&(0x7f0000000100)='/dev/input/mice\x00', 0x0, 0x0) bpf$BPF_PROG_QUERY(0x10, &(0x7f0000000180)={r0, 0x2, 0x1, 0xc7f, &(0x7f0000000140)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x6}, 0x20) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) r2 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000240)='SEG6\x00') sendmsg$SEG6_CMD_SETHMAC(r1, &(0x7f0000000340)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000300)={&(0x7f0000000280)={0x78, r2, 0x0, 0x70bd29, 0x25dfdbff, {}, [@SEG6_ATTR_SECRET={0x10, 0x4, [0x3, 0x1ff, 0xc9]}, @SEG6_ATTR_DST={0x14, 0x1, @dev={0xfe, 0x80, [], 0x1b}}, @SEG6_ATTR_DST={0x14, 0x1, @initdev={0xfe, 0x88, [], 0x1, 0x0}}, @SEG6_ATTR_HMACKEYID={0x8, 0x3, 0x8}, @SEG6_ATTR_DSTLEN={0x8, 0x2, 0x2}, @SEG6_ATTR_DSTLEN={0x8, 0x2, 0x6}, @SEG6_ATTR_DST={0x14, 0x1, @empty}]}, 0x78}, 0x1, 0x0, 0x0, 0xc0}, 0x2000c081) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_MAX_BURST(r4, 0x84, 0x14, &(0x7f00000001c0)=@int=0x8, 0x4) [ 2376.732833][T11051] binder_alloc: 11029: binder_alloc_buf, no vma [ 2376.777550][T11049] binder: 11048:11049 Release 1 refcount change on invalid ref 0 ret -22 [ 2376.792670][T11051] binder: 11048:11051 transaction failed 29189/-3, size 24-8 line 3147 [ 2376.924159][T11051] binder_alloc: binder_alloc_mmap_handler: 11048 20001000-20004000 already mapped failed -16 [ 2376.970154][T11049] binder: BINDER_SET_CONTEXT_MGR already set 17:26:25 executing program 0: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r3 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r3, 0x84, 0xd, 0x0, 0x0) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) fsetxattr$trusted_overlay_redirect(r0, &(0x7f0000000100)='trusted.overlay.redirect\x00', &(0x7f0000000140)='./file0\x00', 0x8, 0x3) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0xffffffffffffffff) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) getsockopt$inet_sctp6_SCTP_MAXSEG(r5, 0x84, 0xd, &(0x7f0000000180)=@assoc_value={0x0, 0xc4f2}, &(0x7f00000001c0)=0x8) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f0000000200)={r7, @in={{0x2, 0x4e23, @local}}, [0x9, 0x2, 0xbab, 0x7b7a692e, 0x2355, 0x9, 0x3, 0x3f, 0x100, 0x0, 0x7b7, 0x6, 0x5, 0x6a5, 0x3]}, &(0x7f0000000300)=0x100) [ 2377.014253][T11049] binder: 11048:11049 ioctl 40046207 0 returned -16 [ 2377.019427][T11056] binder_alloc: 11029: binder_alloc_buf, no vma [ 2377.070209][T11056] binder: 11048:11056 transaction failed 29189/-3, size 24-8 line 3147 [ 2378.549598][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2378.559205][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2378.569216][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2378.579087][T23288] binder: send failed reply for transaction 1291 to 11029:11031 [ 2378.594397][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2378.602655][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2378.609083][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2378.623385][T11034] device sit0 left promiscuous mode [ 2378.839984][T11036] device sit0 entered promiscuous mode 17:26:31 executing program 2: r0 = socket$inet(0x2b, 0x1, 0x0) bind$inet(r0, &(0x7f0000000600)={0x2, 0x4e23, @multicast2}, 0x10) connect$inet(r0, &(0x7f00000001c0)={0x2, 0x4e23, @loopback}, 0xfffffe24) setsockopt$inet_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f00000003c0)='tls\x00', 0x1b5) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt(0xffffffffffffffff, 0x65, 0x10000000002, 0x0, 0x0) r1 = syz_open_dev$usbmon(&(0x7f00000001c0)='/dev/usbmon#\x00', 0x6, 0x4000) getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(0xffffffffffffff9c, 0x84, 0x7b, &(0x7f0000000340)={0x0, 0x1f}, &(0x7f00000004c0)=0x8) getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r1, 0x84, 0x73, &(0x7f0000000500)={r2, 0x4, 0x0, 0x5, 0x8a}, &(0x7f0000000540)=0x18) setsockopt$inet_sctp6_SCTP_ADD_STREAMS(0xffffffffffffffff, 0x84, 0x79, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f0000000580)={r3, @in6={{0xa, 0x4e23, 0x8, @remote, 0x6}}, 0x0, 0x4, 0x8, 0xf0, 0x80}, 0x98) ioctl$CAPI_NCCI_OPENCOUNT(0xffffffffffffffff, 0x80044326, &(0x7f0000000380)=0x66) setsockopt$ARPT_SO_SET_ADD_COUNTERS(r1, 0x0, 0x61, &(0x7f0000000640)={'filter\x00', 0x4}, 0x68) rt_sigaction(0x2c, &(0x7f0000000180)={&(0x7f0000000100)="c4c27d30e1c48119769292c60000fa430fae5663c46250f7bd69000000c4e17b116023c4e1ad599d00b00000c40271bd6503660fe3a100000000c421515fce", {0x40000000001}, 0x88000000, 0x0}, &(0x7f0000000140)={&(0x7f0000000700)="8f89889757e2c483397871c0c36440d25870f30f5e9baa2a00000000223d28144cc46165f2df2e660f7c4600c4e1a1fd2c3cc4e3f916fd0344802900", {}, 0x0, &(0x7f00000006c0)="8f2938015af0c483790869500cc443c9480a008fea5012cd00e00000400face00566440fd2bb2a406152460f34f2400f1bf6c48291ddffc44135f36143"}, 0xffffffffffffffc9, &(0x7f00000002c0)) prctl$PR_GET_SECCOMP(0x15) r4 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0xfffffffffffffffe) fcntl$F_SET_RW_HINT(0xffffffffffffffff, 0x40c, 0x0) ioctl$FS_IOC_GETFSLABEL(r4, 0x81009431, &(0x7f00000003c0)) r5 = semget$private(0x0, 0x3, 0x0) semctl$GETNCNT(r5, 0x3, 0xe, &(0x7f0000000240)=""/24) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, &(0x7f0000000280)) ioctl$KVM_IRQ_LINE_STATUS(r4, 0xc008ae67, &(0x7f00000000c0)={0x5, 0x2}) shmget(0x0, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil) ioctl$KVM_X86_GET_MCE_CAP_SUPPORTED(0xffffffffffffffff, 0x8008ae9d, &(0x7f0000000000)=""/132) setsockopt$inet6_tcp_TLS_TX(r4, 0x6, 0x1, &(0x7f0000000200), 0x4) write$P9_RLERRORu(r4, &(0x7f0000000300)={0x11, 0x7, 0x2, {{0x4, 'tls\x00'}, 0x7}}, 0x11) unshare(0x40000000) setsockopt$inet_mreqsrc(r0, 0x11a, 0x2, 0x0, 0x0) 17:26:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x6800000000000000, 0x0}) 17:26:31 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0xfffffffffffffffd) syz_kvm_setup_cpu$x86(r3, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$VIDIOC_G_PRIORITY(r2, 0x80045643, 0x2) 17:26:31 executing program 1: setsockopt$inet_MCAST_LEAVE_GROUP(0xffffffffffffffff, 0x0, 0x2d, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = open(&(0x7f0000000100)='.\x00', 0x0, 0x0) r1 = fcntl$dupfd(0xffffffffffffff9c, 0x0, 0xffffffffffffffff) getsockopt$IP6T_SO_GET_REVISION_TARGET(r1, 0x29, 0x45, &(0x7f0000000100)={'ipvs\x00'}, &(0x7f0000000380)=0x1e) r2 = creat(&(0x7f00000000c0)='./bus\x00', 0x0) r3 = socket$inet6(0xa, 0x400000000001, 0x0) r4 = dup(r3) ioctl$FICLONE(0xffffffffffffffff, 0x40049409, r3) setsockopt$inet6_tcp_int(r3, 0x6, 0x12, &(0x7f00000003c0)=0x7f, 0x4) bind$inet6(r3, &(0x7f0000000040)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) write$cgroup_subtree(r1, &(0x7f0000000000)=ANY=[@ANYBLOB="04000000000000008820"], 0xa) sendto$inet6(r3, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) r5 = socket$inet6_tcp(0xa, 0x1, 0x0) dup(0xffffffffffffffff) setsockopt$SO_BINDTODEVICE(r3, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10) getsockopt$inet_tcp_buf(r4, 0x6, 0xb, &(0x7f00000001c0)=""/141, &(0x7f0000000280)=0x8d) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$inet6_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x29, 0x2a, &(0x7f00000002c0)={0x26b7, {{0xa, 0x4e24, 0x0, @ipv4={[], [], @dev={0xac, 0x14, 0x14, 0x16}}, 0x1f000000}}}, 0x88) r6 = open(&(0x7f0000000440)='./bus\x00', 0x141042, 0x0) ftruncate(r6, 0x2007fff) ioctl$KVM_ASSIGN_SET_INTX_MASK(r1, 0x4040aea4, &(0x7f0000000080)={0x3, 0x9, 0x448674c4, 0x2, 0x4}) sendfile(r4, r6, 0x0, 0x8000fffffffe) ioctl$UI_SET_EVBIT(r2, 0x40045564, 0x5) ioctl$EXT4_IOC_SETFLAGS(r0, 0x40086602, 0x0) mkdir(&(0x7f0000000180)='./file0\x00', 0x0) setxattr$trusted_overlay_redirect(0x0, 0x0, 0x0, 0x0, 0x0) close(r5) creat(&(0x7f0000000280)='./file0\x00', 0x0) 17:26:31 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x400004, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$NBD_CLEAR_SOCK(r2, 0xab04) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:31 executing program 3: r0 = creat(&(0x7f0000000000)='./file0\x00', 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) timer_create(0x0, 0x0, 0x0) ioctl$VT_DISALLOCATE(0xffffffffffffffff, 0x5608) close(r0) request_key(0x0, 0x0, 0x0, 0xfffffffffffffffc) sendmmsg$unix(0xffffffffffffffff, 0x0, 0x0, 0x0) getrusage(0x0, 0x0) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptmx\x00', 0x0, 0x0) syz_open_pts(r0, 0x0) [ 2382.926777][T11071] binder: 11065:11071 Release 1 refcount change on invalid ref 0 ret -22 [ 2382.984657][T11077] binder_alloc: binder_alloc_mmap_handler: 11065 20001000-20004000 already mapped failed -16 [ 2383.041449][T11071] binder: BINDER_SET_CONTEXT_MGR already set 17:26:31 executing program 3: r0 = socket$inet6(0x10, 0x2, 0x0) sendmsg(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f00000001c0)=[{&(0x7f0000000040)="5500000018007f1d00fe01b2a4a280930a06000000a84599910000002900090008000c00010000001900150006000000000067c01338d54400009ba1136ef75a9251b77226483113e92f13e70b9cfb83de44b2ee3b", 0x55}], 0x1}, 0x0) [ 2383.087891][T11071] binder: 11065:11071 ioctl 40046207 0 returned -16 [ 2383.088588][T11081] binder_alloc: 11065: binder_alloc_buf, no vma [ 2383.166014][ T2678] binder: send failed reply for transaction 1298 to 11065:11071 17:26:32 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_KVMCLOCK_CTRL(r0, 0xaead) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f00002d9000/0x3000)=nil, 0x3000, 0x0, 0x40010, 0xffffffffffffffff, 0x1d) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, &(0x7f0000000180)={0x0}, &(0x7f00000001c0)=0x8) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000000200)={r5, @in={{0x2, 0x4e23, @initdev={0xac, 0x1e, 0x1, 0x0}}}, 0x5, 0x0, 0x5, 0x7, 0x60}, &(0x7f00000002c0)=0x98) ioctl$KVM_SET_PIT2(r4, 0x4070aea0, &(0x7f0000000100)={[{0x0, 0x0, 0x9, 0x7ff, 0x4, 0x7, 0x5, 0x3, 0x8, 0xfffffffffffffff9, 0x3, 0x599, 0x1f}, {0x5, 0x7, 0x6, 0x1, 0x8, 0x100000000, 0x1, 0x0, 0x7, 0x2000, 0x6, 0x8, 0x8}, {0xfffffffffffffffc, 0x7, 0x0, 0x8, 0x3, 0x7, 0x7f, 0x4962, 0x300, 0x6, 0x0, 0x5, 0x1}], 0x1000}) r6 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) ioctl$TCSETAW(r2, 0x5407, &(0x7f0000000300)={0x2, 0x3, 0x8, 0x81, 0x0, 0x3, 0x9c, 0xcbb5, 0x9, 0xb402}) [ 2383.209689][ T2678] binder: undelivered TRANSACTION_COMPLETE [ 2383.243182][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:26:32 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/qat_adf_ctl\x00', 0x84000, 0x0) setsockopt$inet_tcp_TCP_QUEUE_SEQ(r0, 0x6, 0x15, &(0x7f0000000200), 0x4) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r3 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) getsockopt$inet_tcp_buf(r0, 0x6, 0x1c, &(0x7f0000000240)=""/65, &(0x7f00000002c0)=0x41) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) ioctl$ASHMEM_GET_NAME(r3, 0x81007702, &(0x7f0000000100)=""/156) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2383.282966][T11086] netlink: 13 bytes leftover after parsing attributes in process `syz-executor.3'. [ 2383.312762][T11081] binder: 11065:11081 transaction failed 29189/-3, size 24-8 line 3147 17:26:32 executing program 3: [ 2383.481755][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:26:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x6c00000000000000, 0x0}) 17:26:32 executing program 3: [ 2383.596197][T11075] IPVS: ftp: loaded support on port[0] = 21 [ 2383.749974][T11099] binder: 11097:11099 Release 1 refcount change on invalid ref 0 ret -22 [ 2383.825600][T11100] binder_alloc: binder_alloc_mmap_handler: 11097 20001000-20004000 already mapped failed -16 [ 2383.870765][T11099] binder: BINDER_SET_CONTEXT_MGR already set [ 2383.890648][T11099] binder: 11097:11099 ioctl 40046207 0 returned -16 17:26:32 executing program 2: 17:26:32 executing program 1: setsockopt$inet_MCAST_LEAVE_GROUP(0xffffffffffffffff, 0x0, 0x2d, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x2, 0x70, 0x41, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = open(&(0x7f0000000100)='.\x00', 0x0, 0x0) r1 = fcntl$dupfd(0xffffffffffffff9c, 0x0, 0xffffffffffffffff) getsockopt$IP6T_SO_GET_REVISION_TARGET(r1, 0x29, 0x45, &(0x7f0000000100)={'ipvs\x00'}, &(0x7f0000000380)=0x1e) r2 = creat(&(0x7f00000000c0)='./bus\x00', 0x0) r3 = socket$inet6(0xa, 0x400000000001, 0x0) r4 = dup(r3) ioctl$FICLONE(0xffffffffffffffff, 0x40049409, r3) setsockopt$inet6_tcp_int(r3, 0x6, 0x12, &(0x7f00000003c0)=0x7f, 0x4) bind$inet6(r3, &(0x7f0000000040)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) write$cgroup_subtree(r1, &(0x7f0000000000)=ANY=[@ANYBLOB="04000000000000008820"], 0xa) sendto$inet6(r3, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) r5 = socket$inet6_tcp(0xa, 0x1, 0x0) dup(0xffffffffffffffff) setsockopt$SO_BINDTODEVICE(r3, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10) getsockopt$inet_tcp_buf(r4, 0x6, 0xb, &(0x7f00000001c0)=""/141, &(0x7f0000000280)=0x8d) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$inet6_MCAST_JOIN_GROUP(0xffffffffffffffff, 0x29, 0x2a, &(0x7f00000002c0)={0x26b7, {{0xa, 0x4e24, 0x0, @ipv4={[], [], @dev={0xac, 0x14, 0x14, 0x16}}, 0x1f000000}}}, 0x88) r6 = open(&(0x7f0000000440)='./bus\x00', 0x141042, 0x0) ftruncate(r6, 0x2007fff) ioctl$KVM_ASSIGN_SET_INTX_MASK(r1, 0x4040aea4, &(0x7f0000000080)={0x3, 0x9, 0x448674c4, 0x2, 0x4}) sendfile(r4, r6, 0x0, 0x8000fffffffe) ioctl$UI_SET_EVBIT(r2, 0x40045564, 0x5) ioctl$EXT4_IOC_SETFLAGS(r0, 0x40086602, 0x0) mkdir(&(0x7f0000000180)='./file0\x00', 0x0) setxattr$trusted_overlay_redirect(0x0, 0x0, 0x0, 0x0, 0x0) close(r5) creat(&(0x7f0000000280)='./file0\x00', 0x0) 17:26:32 executing program 3: 17:26:32 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) fcntl$F_SET_FILE_RW_HINT(r1, 0x40e, &(0x7f0000000100)=0x3) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_GET_NESTED_STATE(r0, 0xc080aebe, &(0x7f0000000140)={0x0, 0x0, 0x2080}) rt_sigpending(&(0x7f00000021c0), 0xffffffffffffffa2) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2383.945740][T11102] binder_alloc: 11097: binder_alloc_buf, no vma [ 2383.957720][T11102] binder: 11097:11102 transaction failed 29189/-3, size 24-8 line 3147 17:26:32 executing program 3: [ 2383.996747][T11099] binder: 11097:11099 Release 1 refcount change on invalid ref 0 ret -22 [ 2384.028118][ T2678] binder: release 11097:11099 transaction 1303 out, still active 17:26:32 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000240)) r4 = openat$dir(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x40000, 0x140) ppoll(&(0x7f0000000140)=[{r1, 0x10}, {r1, 0x40}, {r3, 0x202}, {r4, 0x4424}, {r2, 0x3400}], 0x5, &(0x7f0000000180)={0x0, 0x989680}, &(0x7f00000001c0)={0x9}, 0x8) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:32 executing program 2: [ 2384.060306][ T2678] binder: unexpected work type, 4, not freed 17:26:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x7400000000000000, 0x0}) 17:26:32 executing program 3: mkdir(&(0x7f0000000380)='./file0\x00', 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f0000000200)='proc\x00', 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000010c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) mount$bpf(0x0, &(0x7f00000000c0)='./file0\x00', 0x0, 0x20, &(0x7f0000000040)=ANY=[@ANYPTR=&(0x7f0000000180)=ANY=[]]) [ 2384.148253][ T2678] binder: undelivered TRANSACTION_COMPLETE [ 2384.172160][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:26:33 executing program 2: bpf$PROG_LOAD(0x5, &(0x7f000000c1c0)={0xf, 0x4, &(0x7f0000000080)=@framed={{}, [@call]}, &(0x7f0000000000)='syzkaller\x00', 0x6, 0x1000, &(0x7f0000000540)=""/4096}, 0x48) [ 2384.201298][ T2678] binder: send failed reply for transaction 1303, target dead [ 2384.279025][T11118] binder: 11117:11118 Release 1 refcount change on invalid ref 0 ret -22 [ 2384.316390][T11116] e proc: Unknown parameter '€' [ 2384.374436][T11121] e proc: Unknown parameter '€' [ 2384.388307][T11122] binder_alloc: binder_alloc_mmap_handler: 11117 20001000-20004000 already mapped failed -16 [ 2384.433792][T11118] binder: BINDER_SET_CONTEXT_MGR already set [ 2384.470170][T11118] binder: 11117:11118 ioctl 40046207 0 returned -16 17:26:33 executing program 2: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$rtc(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/rtc0\x00', 0x0, 0x0) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ppoll(&(0x7f0000000e00)=[{r1}, {r2}], 0x2, 0x0, 0x0, 0x0) 17:26:33 executing program 3: syz_emit_ethernet(0x2a, &(0x7f0000000000)={@local, @dev, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x2f, 0x0, @rand_addr, @multicast1}, @icmp=@address_reply={0x2b6, 0xd00}}}}}, 0x0) [ 2384.479032][T11124] binder_alloc: 11117: binder_alloc_buf, no vma [ 2384.488160][T11124] binder: 11117:11124 transaction failed 29189/-3, size 24-8 line 3147 [ 2384.497304][T11118] binder: 11117:11118 Release 1 refcount change on invalid ref 0 ret -22 [ 2384.506643][T23288] binder: release 11117:11118 transaction 1308 out, still active [ 2384.517163][T23288] binder: unexpected work type, 4, not freed 17:26:33 executing program 1: syz_mount_image$ext4(&(0x7f0000000180)='ext4\x00', &(0x7f0000000000)='./file0\x00', 0xf4ffffff, 0x1, &(0x7f0000000080)=[{&(0x7f00000000c0)="80000a003804000019000300e60100006c000000000000000100000001000000004000000040000080000000000000006d5ebe5a0000ffff53ef", 0x3a, 0x400}], 0x0, 0x0) 17:26:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x7a00000000000000, 0x0}) [ 2384.576184][T23288] binder: undelivered TRANSACTION_COMPLETE [ 2384.600954][T23288] binder: undelivered TRANSACTION_ERROR: 29189 [ 2384.628469][T23288] binder: send failed reply for transaction 1308, target dead 17:26:33 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$KDSKBSENT(r0, 0x4b49, &(0x7f0000000240)="4abcc433667dd8a3b7f9970a57cae196400ff737e24a480d589fb786ab350ec5920db26bca042b82928619a86c80e474fd2926910a40c8c765592e67a8e6d2145484452b6d92cc16356febe327d64d98102fea8b828d2f9b13f2d21b70a235728aacea07c8fd8ca7a5ea4a6472491fa220f17de6c6c8f0688acee66941bb7ba229fb0f88b52e1a6232d8cf85bcf25e73c192c86efe3b157fc91a7a9f2fc4f67326b77f08e4fa43920816d46a53355063dbeea1a11a860f595b45fe5192b3f78b24245cd28157caa276ed7fc6d89a7173721fc155a07db0170d0fc12a1866bcb0dbd2f9c38a4eab48eb12a5c69890c8c5a703cfb34169dbd6f7d41c1466204635b5acdbdda4414aea9257e989629b2ee8f00fbb8d4861d0f205f138772b82fdbe3363ccb8df03aad37b8328b77695bd467bfda33b374a23f2a29777290ed8d06f27aee8b1105ac93831dcf2c036ac3742652497c98a4300e8d62072197ca849dfc84568dd814fa627eba084263c3aa22ba318eb3606bd3d265ed86fca64402db3a7fc98fd61ed05d20a883ae31976b0e59ec7b0325e3181ee857c734da7cb91f5630f577f98aedc7d157ef19b0a2f5dc8a663818d3661513b8d6392443b5dfca9e66b82eabf13d060f88ebf14b4289729c6d8f22fef8c5a7da50a7032583d4e11b70eb9b60b9c61221869699688dac1e96d24f04c38a7b7cde3565588ff62950fdb3e41ec034356c9c8ee6f4e15cd97bea3411b2ef157eeea6b5113c295dd0a1d228f85a903c24ce980ce8c54fee599e89dc82aa4863a30f66594a3eae873a2937d5bb5b897e4ead6d999f34b0a310327d1b81838c1f6c64b3a9964f09dada782ff2a57fd4763e6b8e16e2acae35e3f89efc07d4a28c95dffc7a3272f5b4bff34385583b63b3240cfac7780db4b49b52bdcce8da33e2ab56a2b39f0e2c9ec8a046ae3f21ec52b48b75d71609b23f464a2244e9bd90cc74aef6fe79a613d3fa1e775906b498ac209f725d7c7058d5bff1d9a635248b3af7b5a2edef701cf2fcac024d560a85e0aef8c55758f2d24b6b00fa37f7db8f2211c2a3c9209995b7f4de8a0ed2dd5477c3abfe4b8c1a8be4fc571fe7ce05c73129db10fc63f01020d58bbe200139d85bcfa65d7ea17ec5d06517c3de4e42527b4da59f942f9a4baba9575ba968bb5f231821c080b5a3c7bb13949974c0ff62273bbe1abf6ad5a6b5066b9d4ac96bd7a0ce059a22422c78ccb969791bab7a05f1755eca91ae5564ce11c72ecbc785c4ed39dd882ef5b9dc519917b32dc91bb005e24e26724a18fb41cb8dcdac5809efd0762e6461efa278f012ef02801ad7d62c5131ed7d08add446cd32ce88d2c1c29b3ef368ff40ed69ce06b45ff60c77107c8e967d095a12b45bb0fa7193361b436b88286e369c111777f156888d508bfdadff87409c9c337f8b6ab141ffaff1567ce9e31a82d2d14c8b848f44c227a633799b7c72277fcfd06bbf8abdc80679f6f43739540cfdaf42a99361e94d530032adf39a070481d6f29ac17088bf79bf0c289d6f2c362d8827e7ca4039aabe2c45da9ff66725d94599e10c11487d838123a783d83cf1a45c327020e0afaefda871569f74caab6e6b8a596e9b8261664bb62ab00d5bb356ee33be6cab93a1760ff967ec9026d25da441167ac0ed6e79428a0ea35fe7c5a6facc0b8438995f2fd4294c4529d80ab0e97d436832e1a80fff4e0497df48c029a6e3b83f6c2ed65d854e586b2b6dab72469229c14a39a831602a3479796df5070ed74fae6eb75a7d6a0deeb23adbfd34c8bfd0284804c7bf3cdeb229756e56a65e62b5c58d062bad40cddb2be0e19438f6b536aa0bd85b76c05254090dd9fea7d895805d9930f2fc91a4feb9da27437d0a923f55a5af4f47d8e0e196c8f1500754125dabcbb8808b08e11deb31385cdfb3401cc6545f1c7812a419869e41e330652a96381bf916734ac25d82a4c490f1c47d080bef10b0e8d60440fcfcf36c2a244bff613269d0a3c8c703d05fa17b5d9299ed15b854fc6cd5331199ad10ec86155f54bb1445ae6deb69b5bcce0f429b4dbfc277117362baf784e751ef5c1a2739a626acd15e8d2205e0b3536260f7258e75057f5e27f65c12627835f35a63555e983b317477f2c3f1661c82afeba81e025092dd7c1b1f546d4a741d16acbb9fbdb8c2cf3ad81f9f85693fe416e266f47aa53ff89405e8ed6fdbfcce94e0227192c4bbeaf9f1d4d2973cd0ea760724115c24567acf2c671e4ffd2d171810b36484829395ee230fcb4586e078d7659d8376ef7d1eedbb5871e175caf0f5c40b2e1c4ec49c1b2676c2ab8c3f8608b5b1b300c0da10f5e3ff807a4ef986d6a1b240347e1069f52c63c12b7407eaf3f175331ccf0d7ff9e1e38fafe15462fc95cf03758a642d5f630328b2afd30800d2fa2220066b660381c93f8182fd8de9cfa3aecdcde0b326c0711b2c4e146c1c9aba75b19314c23f42c4d8e83090c0bf25c7d5593cd1a1130f9df6458a5f085cc5a8079665130c2ee2e1454df0196c6a659292da1de4db76cb3ae37da98f9de5116da50cf12105a0d2e80eed99f11f3ce70c0de822d49c276a536e2bc847182c30526913cc860624a23344fcdbb65a486b1e32e8abd2c53229a9c11c2ebf67f305558c2454aaeb9ab5d24ca9f7a055d72e0bfbf63cb4fa150958993fbca1bbe289fd01e352f8d07476ad37150f953d6ff75d8a48911e6341e8e0812568f8d3be2a1ebce273c3b61944744cb20d0ac0dc53f8d9557a6ac9287a7cec60bdcc959b496582538250c87c6bdb25cccc366159f4035f5cb64e775f2a051401ef05a2428ab1781bd5d9cfc3e7b9472f6d3b015f88b4eec1a0f4472c0fe68d9fec00f0723a736a7f465299f61f7c633957240c29494bcd66eb202741dd40dcbf03acd77bbd00d052ac95064ed9763278650b7ef9ff48975b33ae02543e04fdff90fd6380240c9a72fd9232b41dc675d093fe3a629f85a1014efe0a8e176624bb196e5645e08910938b895ed0418e071b804bc604bea50334e713d5c3ba4557a5d9ebb7484e227691362548fffdf6b8753c8b369c050b9fc6af3df2c249493473f5ea0b348408b9beaf0bed9fa8f7208e527000e4619ea33f8619b1d9191fb9c3a275e22679d77fb8c289488470fc6e623bbeb259a67771d1182e6beef32e76a20c523f271ba7141036c7346b5eaa7f52fb75ec4404daf5e63c3fceec37a8d4cb27483f02d4cbd1adcf10ee391f9f866ef44f0d86314de8e4e363a1fd09382f130c6f24df136b6bd3c25123b91b1cd25fac8196972f5bdeae335fcbd6cff4a2808cd12809b474fa2a6ff5dd451906ed2e9061ac89480955d7549eb53252141bf02fac5b001a972c16244b2ced7f6cb414c475c8cbd883533e7856f02a0b34fbb0ab2e30e77263a20465ecc4b8abc922f1a6e9189e544c1a9975c25cb3536c2270bc54b776fe7e1f5c5cb562a5059e36102a50327642b6e16591644e17497a034f3dca731639edb307ea61a467bb65b9b163f85d102275ddac6dccae51dd1a3c2b03e7914c56b86ac4c9f892d28c3a43764739b2267495ffa53eaa192d4befdfd85bcf241662b1bd79b9e2590350746ae1d5f824830bbe114c08983968b5fc00442b89ea56ebc3917b45abe01dc82f04fb497dc918e272c8221249b04dbe2f1eb1655ed421589777a4780323a38017141fcb9e30a0be9336ab2eb721ed2ba6a6c93f80d3e6fca2789c29ee94c4bec54d73142bc5945be80e17464b8cfa3e4c1bb7c1abf185dcb8d5ffc37ea5c9904dad60cc1a18203009bee5b26840f2bd99b8c3ef0a693c9aeecf083ba8867a89c94cb66ef6b7470c9f7f5e5a57338a0b2a494f7e8096230f634a7ceef0348f954085939b03df21bb4d229a2bb0256ebd130b939d2b409b32a90703d1b6ccac58958f68a63a83a647e67f0a02bcbaec1bc0ae4960527e463f3e549eb12c39c2246c6e32586cb395a515f133836bcb72131a380d57b82eae6a7b76e3d5511cba55245e4bf2edd380de6d94b9a9a18ad34c4ed1014d8894d4bff682fee956a50ef83d820a375192d90c5e8da3e446ef5b5c64d23b67faa1157c804105bc1cf0318cb2059b083d071524d5976c0fdbebae0cede849d2490ad90fc7bbc0686a04981710abc849683310d1ab57194f8f4565ce42ce3a31e413dca53a342edb9fbd69f99ac859359b83b135f0c62396e0eae88e95c96c52ba06d1de28b5a3a97744a2e6cf4f1dc5475c6eb65291c2c3df1a4fb4910120b1cbfb41856d519886e068d127d004b27cb5b994e74d327cc63e7a10087b164bbd5db172146732dbcf6551c08a51d0d8a9a2d8b0fd2093f5f2ff33833c37bb9c0cdb72fd83581ddba537c376d7dccb9c05b4c851143827e4a073b2f9c4814f5233942a3a3939326ea24c84171d9fc5284b0faf097aafabc1990273f0fed815edd95b68059ab9c837964d4a4fcfb746b8339c7dacc39ddc59adf585b63d8d063124e293f2e8c650ed07ffe9a3dd01d921b79b51ed4bc7e9de0a28b7c2c725c201172d999bb8595fcf1c7332d58cd25289c86294c26fdbd562e5fd7ce900a05407da19728063be9ce0023ba599adcc08dd98285e52c9ec3ffbff267172ff028700b9c6cd29279c42653169a8ba8d61f1cd4ad9fc2b5b44430400d7d3267ae0a3e3bce5f25483a6456e255ca8f3e9453175427494be1193c58d22f2ff6ceac3a15f593fd5d824479d72e6377ed8c3c1cb46afdbfd3e3ab5f2399bda967099e36068c746400afa2b4bf9ab7d200b8f53e9f59cb73a7210b843452b6d38afd7bbe9357ab945ee47cf4e5cedd2c4a85d5d1a6e4a9cf10d1b9bfd5b9361cf6d59f7c49e60523ad8183a71a1aacaafdada8bd9091f087362608d7ffa8e92d325f2be1316aa4c7011e3dec6d324bf37bff049300962ba0695ea360d44160bce8f3a6f1dca7469780152b0e1918fe63f099b064b6c44e13ea765fb2a9cbbedd9a2778615eb26a3015e1a75aca865f3ce88839acac078fcd79ed47ea591f486df66fd4b9c23a15ea691658f731e93be31dcb13339e98f4097384549c9ec4f10352799a2b1943f494672d6d7376f0477a5d63c29d17696a5ae8c2ac60a5141f0773369d4f28d129b1d829b8c4e792a04abce509e95ed2e80eb27582ca81228158d287695afa7434e395ee9538402aa8d2db301b89482d8437a330edbc5414c215600e008f91749cd8a74653967a29356e8a74a2593ca4338a35f10301f22255db4746c29ee0c9d4932ac9b92ec223712a9e0c5c7d65e165955eac18f905fd5a8a0269806371954cabfa14fb26d9391604b8e4671174156e2164b9f2f0a8f87059c6c86a147605ed8e4276db6e8229ca591a6b440b7dd8688804d260443b6c12db685be55abe1ee02889ff8344dc205275c6c395fc554963621167d4af2591c1097327d154b0402f1d10ae6e239dc27f4a9e2f3927059bc9d9c105f16c3269575fa94d8b33a9b3d63dec6187d2b4bcaeabaf4955b923d570ec668d6ee804f50fd2b16af048252c310d57eddad8acd6ec119667da81ae21be7fc5ae2aed0b70599ea1876a317edc2be1b9e8a9c4eab78cafa29c2bb5f98e3470bb52a5773037d39d7728aaa9e5b1093439d7a5c39ba9f455943c8561f8ab3c7cb4364eed8078f6fb281acaefd41076c37adba0fdc8e32aa410d73a27471a655d7db3d4d0e00f550cd95860b1f879391ca2e7610c0a54a36d076f86faa5678c23b44a4edb166c56fdb9454c7676229f69a742becd77875f8ddb6d") ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = syz_genetlink_get_family_id$tipc(&(0x7f0000000140)='TIPC\x00') sendmsg$TIPC_CMD_GET_NODES(r0, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x1}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x1c, r1, 0x200, 0x70bd29, 0x25dfdbff, {}, ["", "", "", "", "", "", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x40000}, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:33 executing program 4: r0 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vfio/vfio\x00', 0x400, 0x0) ioctl$KVM_SET_GSI_ROUTING(r0, 0x4008ae6a, &(0x7f00000001c0)=ANY=[@ANYBLOB="01000000000000000400000005f3ff00000000000000000004000064c7a6c948b1e5dc0000000000000000000000000000000000000000002b0fbc4837f18716aaf3dc4b9e9591be2a7b5e48a02741000000ef1300"]) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$VIDIOC_ENUM_FRAMESIZES(r1, 0xc02c564a, &(0x7f0000000180)={0x4, 0x75327153, 0x1, @discrete={0x1, 0x5a}}) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2384.690598][T11131] binder: 11129:11131 Release 1 refcount change on invalid ref 0 ret -22 17:26:33 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000240)) r4 = openat$dir(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x40000, 0x140) ppoll(&(0x7f0000000140)=[{r1, 0x10}, {r1, 0x40}, {r3, 0x202}, {r4, 0x4424}, {r2, 0x3400}], 0x5, &(0x7f0000000180)={0x0, 0x989680}, &(0x7f00000001c0)={0x9}, 0x8) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:33 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:33 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$DRM_IOCTL_MAP_BUFS(r3, 0xc0186419, &(0x7f0000000700)={0x5, &(0x7f0000000200)=""/228, &(0x7f0000000680)=[{0x9, 0xd1, 0xff, &(0x7f0000000300)=""/209}, {0x8000, 0xdd, 0x1, &(0x7f0000000400)=""/221}, {0x5, 0x3e, 0x4, &(0x7f0000000500)=""/62}, {0x0, 0xf7, 0xff, &(0x7f0000000540)=""/247}, {0x7fff, 0x17, 0x8, &(0x7f0000000640)=""/23}]}) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$DRM_IOCTL_GEM_FLINK(r2, 0xc008640a, &(0x7f0000000100)={0x0, 0x0}) ioctl$VIDIOC_LOG_STATUS(r2, 0x5646, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000140)={0x0, 0x0, 0x8ad}) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000180)={r4, r5, 0x3ff}) r6 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000740)=0x0) getpgrp(r8) syz_kvm_setup_cpu$x86(r3, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$KVM_GET_REG_LIST(r3, 0xc008aeb0, &(0x7f00000001c0)={0x5, [0x3, 0x731, 0xe11, 0x5, 0x9]}) unlinkat(r2, &(0x7f0000000780)='./file0\x00', 0x200) [ 2384.764100][T11136] binder_alloc: binder_alloc_mmap_handler: 11129 20001000-20004000 already mapped failed -16 [ 2384.804084][T11131] binder: BINDER_SET_CONTEXT_MGR already set [ 2384.881243][T11131] binder: 11129:11131 ioctl 40046207 0 returned -16 [ 2384.933681][ T2678] binder: release 11129:11131 transaction 1313 out, still active [ 2384.942825][T11136] binder_alloc: 11129: binder_alloc_buf, no vma [ 2384.952952][ T2678] binder: unexpected work type, 4, not freed [ 2384.988160][T11136] binder: 11129:11136 transaction failed 29189/-3, size 24-8 line 3147 [ 2385.001066][ T2678] binder: undelivered TRANSACTION_COMPLETE [ 2385.032613][ T2678] binder: send failed reply for transaction 1313, target dead 17:26:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0xfdfdffff00000000, 0x0}) [ 2385.091188][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:26:34 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000240)) r4 = openat$dir(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x40000, 0x140) ppoll(&(0x7f0000000140)=[{r1, 0x10}, {r1, 0x40}, {r3, 0x202}, {r4, 0x4424}, {r2, 0x3400}], 0x5, &(0x7f0000000180)={0x0, 0x989680}, &(0x7f00000001c0)={0x9}, 0x8) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:34 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2385.257432][T11159] binder: 11158:11159 Release 1 refcount change on invalid ref 0 ret -22 17:26:34 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$RTC_PLL_GET(r1, 0x80207011, &(0x7f0000000140)) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) getsockopt$inet_IP_IPSEC_POLICY(r1, 0x0, 0x10, &(0x7f0000000580)={{{@in6=@local, @in6=@ipv4={[], [], @remote}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast2}, 0x0, @in=@loopback}}, &(0x7f0000000540)=0xfffffffffffffd32) fsetxattr$security_capability(r0, &(0x7f0000000100)='security.capability\x00', &(0x7f0000000280)=@v3={0x3000000, [{0xfffffffffffffffa, 0x6}, {0x5, 0x3}], r3}, 0x18, 0x3) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r5 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$sock_inet6_SIOCADDRT(r1, 0x890b, &(0x7f00000002c0)={@mcast1, @rand_addr="265e739cd732ea57b4aafd493c0e4182", @initdev={0xfe, 0x88, [], 0x1, 0x0}, 0x80000001, 0x401, 0x8000, 0x100, 0x1, 0x10000, r2}) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$sock_FIOGETOWN(r1, 0x8903, &(0x7f0000000380)=0x0) syz_open_procfs(r6, &(0x7f00000003c0)='uid_map\x00') ioctl$TCGETS(r5, 0x5401, &(0x7f0000000040)) r7 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r5, r8, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$FIBMAP(r1, 0x1, &(0x7f0000000340)=0x8) [ 2385.370059][T11163] binder_alloc: binder_alloc_mmap_handler: 11158 20001000-20004000 already mapped failed -16 [ 2385.378565][T11159] binder: BINDER_SET_CONTEXT_MGR already set [ 2385.409531][T11159] binder: 11158:11159 ioctl 40046207 0 returned -16 17:26:34 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$DRM_IOCTL_MAP_BUFS(r3, 0xc0186419, &(0x7f0000000700)={0x5, &(0x7f0000000200)=""/228, &(0x7f0000000680)=[{0x9, 0xd1, 0xff, &(0x7f0000000300)=""/209}, {0x8000, 0xdd, 0x1, &(0x7f0000000400)=""/221}, {0x5, 0x3e, 0x4, &(0x7f0000000500)=""/62}, {0x0, 0xf7, 0xff, &(0x7f0000000540)=""/247}, {0x7fff, 0x17, 0x8, &(0x7f0000000640)=""/23}]}) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$DRM_IOCTL_GEM_FLINK(r2, 0xc008640a, &(0x7f0000000100)={0x0, 0x0}) ioctl$VIDIOC_LOG_STATUS(r2, 0x5646, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000140)={0x0, 0x0, 0x8ad}) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000180)={r4, r5, 0x3ff}) r6 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000740)=0x0) getpgrp(r8) syz_kvm_setup_cpu$x86(r3, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$KVM_GET_REG_LIST(r3, 0xc008aeb0, &(0x7f00000001c0)={0x5, [0x3, 0x731, 0xe11, 0x5, 0x9]}) unlinkat(r2, &(0x7f0000000780)='./file0\x00', 0x200) 17:26:34 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$DRM_IOCTL_MAP_BUFS(r3, 0xc0186419, &(0x7f0000000700)={0x5, &(0x7f0000000200)=""/228, &(0x7f0000000680)=[{0x9, 0xd1, 0xff, &(0x7f0000000300)=""/209}, {0x8000, 0xdd, 0x1, &(0x7f0000000400)=""/221}, {0x5, 0x3e, 0x4, &(0x7f0000000500)=""/62}, {0x0, 0xf7, 0xff, &(0x7f0000000540)=""/247}, {0x7fff, 0x17, 0x8, &(0x7f0000000640)=""/23}]}) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$DRM_IOCTL_GEM_FLINK(r2, 0xc008640a, &(0x7f0000000100)={0x0, 0x0}) ioctl$VIDIOC_LOG_STATUS(r2, 0x5646, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000140)={0x0, 0x0, 0x8ad}) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000180)={r4, r5, 0x3ff}) r6 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000740)=0x0) getpgrp(r8) syz_kvm_setup_cpu$x86(r3, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$KVM_GET_REG_LIST(r3, 0xc008aeb0, &(0x7f00000001c0)={0x5, [0x3, 0x731, 0xe11, 0x5, 0x9]}) unlinkat(r2, &(0x7f0000000780)='./file0\x00', 0x200) 17:26:34 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000240)) r4 = openat$dir(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x40000, 0x140) ppoll(&(0x7f0000000140)=[{r1, 0x10}, {r1, 0x40}, {r3, 0x202}, {r4, 0x4424}, {r2, 0x3400}], 0x5, &(0x7f0000000180)={0x0, 0x989680}, &(0x7f00000001c0)={0x9}, 0x8) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2385.538513][T11170] binder_alloc: 11158: binder_alloc_buf, no vma [ 2385.576854][T11170] binder: 11158:11170 transaction failed 29189/-3, size 24-8 line 3147 [ 2385.650169][T12655] binder: release 11158:11159 transaction 1318 out, still active [ 2385.657960][T12655] binder: unexpected work type, 4, not freed [ 2385.746794][T12655] binder: undelivered TRANSACTION_COMPLETE 17:26:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="e7ffffffffffffff"], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) r2 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cachefiles\x00', 0x0, 0x0) bind$netrom(r2, &(0x7f00000000c0)={{0x3, @default, 0x8}, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]}, 0x48) r3 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x3, 0x2) setsockopt$inet_tcp_TCP_CONGESTION(r3, 0x6, 0xd, &(0x7f0000000040)='scalable\x00', 0x9) [ 2385.799356][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2385.840161][T12655] binder: send failed reply for transaction 1318, target dead [ 2385.891256][T11183] binder: 11182:11183 got transaction to context manager from process owning it 17:26:34 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r2, &(0x7f0000000240)={0x1, 0x4000000000005}, 0x2) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2385.997084][T11183] binder: 11182:11183 transaction failed 29201/-22, size 24-8 line 2985 [ 2386.005692][T11184] binder: 11182:11184 Release 1 refcount change on invalid ref 0 ret -22 [ 2386.127609][T11187] device sit0 entered promiscuous mode [ 2386.144515][T11184] binder_alloc: binder_alloc_mmap_handler: 11182 20001000-20004000 already mapped failed -16 [ 2386.183214][T11188] binder_alloc: 11182: binder_alloc_buf, no vma 17:26:35 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) ftruncate(r1, 0x7ff) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:35 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r2, &(0x7f0000000240)={0x1, 0x4000000000005}, 0x2) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:35 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$DRM_IOCTL_MAP_BUFS(r3, 0xc0186419, &(0x7f0000000700)={0x5, &(0x7f0000000200)=""/228, &(0x7f0000000680)=[{0x9, 0xd1, 0xff, &(0x7f0000000300)=""/209}, {0x8000, 0xdd, 0x1, &(0x7f0000000400)=""/221}, {0x5, 0x3e, 0x4, &(0x7f0000000500)=""/62}, {0x0, 0xf7, 0xff, &(0x7f0000000540)=""/247}, {0x7fff, 0x17, 0x8, &(0x7f0000000640)=""/23}]}) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$DRM_IOCTL_GEM_FLINK(r2, 0xc008640a, &(0x7f0000000100)={0x0, 0x0}) ioctl$VIDIOC_LOG_STATUS(r2, 0x5646, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000140)={0x0, 0x0, 0x8ad}) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000180)={r4, r5, 0x3ff}) r6 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000740)=0x0) getpgrp(r8) syz_kvm_setup_cpu$x86(r3, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$KVM_GET_REG_LIST(r3, 0xc008aeb0, &(0x7f00000001c0)={0x5, [0x3, 0x731, 0xe11, 0x5, 0x9]}) unlinkat(r2, &(0x7f0000000780)='./file0\x00', 0x200) [ 2386.237240][T11184] binder: BINDER_SET_CONTEXT_MGR already set 17:26:35 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000100)='/dev/vbi#\x00', 0x1, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2386.288369][T11188] binder: 11182:11188 transaction failed 29189/-3, size 24-8 line 3147 [ 2386.346933][T11184] binder: 11182:11184 ioctl 40046207 0 returned -16 [ 2386.347433][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 [ 2386.397021][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2386.474211][T11201] misc userio: Invalid payload size 17:26:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000000)=ANY=[@ANYBLOB="069794b72444f48ffa60303e0032f6b3ae8e32b3c2a14208dc4997ba01f320c1ccc7c7310e331082524ee646b76fea20c5448d70a69d4e43ee9aff2929a33b05bd0c62cc38cea00a3d64c96cb600e1384e6043020c6c827c066f885334eafdfa9cad4c379a7e6c272ca6d684c8a2122c1d9bcf3493ed2ce9821860156f8771a3c83f0579f99d9501e1c63530d7208035609ebe4df3"]], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2386.652260][T11207] binder: 11206:11207 got transaction to context manager from process owning it [ 2386.671153][T11207] binder: 11206:11207 transaction failed 29201/-22, size 24-8 line 2985 [ 2386.714632][T11209] binder: 11206:11209 Release 1 refcount change on invalid ref 0 ret -22 [ 2386.718582][T11196] device sit0 left promiscuous mode [ 2386.780599][T11209] binder_alloc: binder_alloc_mmap_handler: 11206 20001000-20004000 already mapped failed -16 17:26:35 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r3, &(0x7f0000000240)={0x1, 0x4000000000005}, 0x2) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2386.841246][T11207] binder: BINDER_SET_CONTEXT_MGR already set [ 2386.868958][T11207] binder: 11206:11207 ioctl 40046207 0 returned -16 17:26:35 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r3, &(0x7f0000000240)={0x1, 0x4000000000005}, 0x2) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2386.923257][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 17:26:35 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r2, 0xc00c642d, &(0x7f0000000100)={0x0, 0x80000, r2}) ioctl$DRM_IOCTL_GEM_FLINK(r1, 0xc008640a, &(0x7f0000000140)={0x0, 0x0}) ioctl$DRM_IOCTL_GEM_FLINK(r1, 0xc008640a, &(0x7f0000000180)={r3, r4}) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) open_by_handle_at(r0, &(0x7f00000001c0)={0x12, 0x5, "beffe53fec538622400d"}, 0x81) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) fcntl$getflags(r0, 0x3) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = fcntl$dupfd(r0, 0x406, r1) getsockopt$inet_mreq(r2, 0x0, 0x27, &(0x7f0000000000)={@rand_addr, @local}, &(0x7f0000000040)=0x8) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:35 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$VHOST_NET_SET_BACKEND(r0, 0x4008af30, &(0x7f0000000100)={0x3, r0}) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2387.191663][T11220] binder: 11217:11220 Release 1 refcount change on invalid ref 0 ret -22 [ 2387.272757][T11205] device sit0 entered promiscuous mode [ 2387.308206][T11226] binder: BINDER_SET_CONTEXT_MGR already set [ 2387.351834][T11226] binder: 11217:11226 ioctl 40046207 0 returned -16 17:26:36 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r3, &(0x7f0000000240)={0x1, 0x4000000000005}, 0x2) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2387.421242][T11220] binder_alloc: 11217: binder_alloc_buf, no vma [ 2387.444323][T11220] binder: 11217:11220 transaction failed 29189/-3, size 24-8 line 3147 [ 2387.492602][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 [ 2387.502664][ T2678] binder: send failed reply for transaction 1328 to 11217:11220 17:26:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x1, 0x800) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2387.541894][ T2678] binder: undelivered TRANSACTION_COMPLETE [ 2387.637910][T11235] binder: BINDER_SET_CONTEXT_MGR already set [ 2387.664554][T11235] binder: 11233:11235 ioctl 40046207 0 returned -16 [ 2387.686790][T11234] binder_alloc: 11233: binder_alloc_buf, no vma [ 2387.715718][T11234] binder: 11233:11234 transaction failed 29189/-3, size 24-8 line 3147 17:26:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = dup3(r0, r0, 0x80000) ioctl$KVM_SET_DEVICE_ATTR(r2, 0x4018aee1, &(0x7f0000000040)={0x0, 0x1, 0x5, &(0x7f0000000000)=0x20}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2387.856623][T11238] binder: BINDER_SET_CONTEXT_MGR already set [ 2387.870101][T11238] binder: 11237:11238 ioctl 40046207 0 returned -16 [ 2387.885941][T11238] binder_alloc: 11233: binder_alloc_buf, no vma [ 2387.906662][T11239] binder_alloc: binder_alloc_mmap_handler: 11237 20001000-20004000 already mapped failed -16 [ 2387.930022][T11238] binder: BINDER_SET_CONTEXT_MGR already set [ 2387.943384][T11238] binder: 11237:11238 ioctl 40046207 0 returned -16 [ 2387.958548][T11239] binder_alloc: 11233: binder_alloc_buf, no vma 17:26:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cachefiles\x00', 0x800, 0x0) ioctl$EVIOCGABS20(r2, 0x80184560, &(0x7f0000000080)=""/170) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x20000, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) [ 2388.079303][T11242] binder: BINDER_SET_CONTEXT_MGR already set [ 2388.101902][T11242] binder: 11241:11242 ioctl 40046207 0 returned -16 [ 2388.136599][T11243] binder_alloc: 11233: binder_alloc_buf, no vma [ 2388.166626][T11243] binder: BINDER_SET_CONTEXT_MGR already set [ 2388.189370][T11243] binder: 11241:11243 ioctl 40046207 0 returned -16 [ 2388.217807][T11242] binder_alloc: 11233: binder_alloc_buf, no vma 17:26:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB="0600008e61abc500"]], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2388.370931][T11245] binder: BINDER_SET_CONTEXT_MGR already set [ 2388.394305][T11245] binder: 11244:11245 ioctl 40046207 0 returned -16 [ 2388.424654][T11246] binder_alloc: 11233: binder_alloc_buf, no vma [ 2388.448597][T11246] binder_transaction: 4 callbacks suppressed [ 2388.448614][T11246] binder: 11244:11246 transaction failed 29189/-3, size 24-8 line 3147 [ 2388.492526][T11245] binder_thread_write: 3 callbacks suppressed [ 2388.492541][T11245] binder: 11244:11245 Release 1 refcount change on invalid ref 0 ret -22 [ 2388.544319][T11246] binder_alloc: binder_alloc_mmap_handler: 11244 20001000-20004000 already mapped failed -16 [ 2388.588525][T11246] binder: BINDER_SET_CONTEXT_MGR already set [ 2388.638753][T11245] binder: 11244:11245 Release 1 refcount change on invalid ref 0 ret -22 [ 2388.650319][T11246] binder: 11244:11246 ioctl 40046207 0 returned -16 [ 2388.683286][T11247] binder_alloc: 11233: binder_alloc_buf, no vma [ 2388.719956][T11247] binder: 11244:11247 transaction failed 29189/-3, size 24-8 line 3147 17:26:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x7, 0x410000) bpf$MAP_DELETE_ELEM(0x3, &(0x7f00000000c0)={r1, &(0x7f0000000040)="362e7124eb25d7e55e4ed8913acf18d905ace7de749290151b6bf39f02dff1b0dc959c09760f09f6c185622ee4cd4c68080d77358a8287d412d55859edcb4e904ade3af18af6322c473f03867119dd9e64ddc3c4b3801d543edcc0a0366550ef90dfe8ec34cd5e32df1ddee192f766356381535c391b038cccd2"}, 0x10) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$SG_GET_SCSI_ID(r1, 0x2276, &(0x7f0000000100)) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) openat$vimc2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/video2\x00', 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) getsockopt$inet_sctp6_SCTP_STATUS(0xffffffffffffffff, 0x84, 0xe, &(0x7f00000003c0)={0x0, 0x9, 0x8, 0xcc, 0x80000001, 0x1cdb94b5, 0x97bc, 0xffffffffffffffff, {0x0, @in={{0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x17}}}, 0xfffffffffffffffa, 0xd8, 0x9, 0x8000}}, &(0x7f0000000180)=0xb0) getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(r1, 0x84, 0x75, &(0x7f0000000280)={r3, 0x9a3}, &(0x7f00000002c0)=0x8) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2388.832741][T11249] binder_alloc: 11233: binder_alloc_buf, no vma [ 2388.852806][T11249] binder: 11248:11249 transaction failed 29189/-3, size 24-8 line 3147 [ 2388.888476][T11250] binder_alloc: 11233: binder_alloc_buf, no vma [ 2388.904067][T11250] binder: 11248:11250 transaction failed 29189/-3, size 24-8 line 3147 17:26:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x2) pipe(&(0x7f0000000280)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$VIDIOC_SUBDEV_G_EDID(r3, 0xc0285628, &(0x7f00000003c0)={0x0, 0x0, 0x2, [], &(0x7f00000002c0)=0xff}) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r4 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x0, 0x0) setsockopt$sock_void(r4, 0x1, 0x3f, 0x0, 0x0) r5 = syz_open_dev$mice(&(0x7f0000000040)='/dev/input/mice\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_ASSOCINFO(r0, 0x84, 0x1, &(0x7f00000000c0)={0x0, 0x100, 0x3, 0x7, 0x7, 0x7}, &(0x7f0000000100)=0x14) getsockopt$inet_sctp6_SCTP_MAXSEG(r4, 0x84, 0xd, &(0x7f0000000140)=@assoc_id=r6, &(0x7f0000000180)=0x4) ioctl$KVM_GET_XCRS(r5, 0x8188aea6, &(0x7f0000000080)={0x1, 0x2000, [{0x4, 0x0, 0x80000000}]}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) getsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r2, 0x84, 0x12, &(0x7f0000000400), &(0x7f0000000440)=0x4) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2389.047292][T11252] binder: BINDER_SET_CONTEXT_MGR already set [ 2389.067070][T11252] binder: 11251:11252 ioctl 40046207 0 returned -16 [ 2389.096587][T11252] binder_alloc: 11233: binder_alloc_buf, no vma [ 2389.117836][T11252] binder: 11251:11252 transaction failed 29189/-3, size 24-8 line 3147 [ 2389.147450][T11252] binder: 11251:11252 Release 1 refcount change on invalid ref 0 ret -22 [ 2389.185814][T11254] binder_alloc: binder_alloc_mmap_handler: 11251 20001000-20004000 already mapped failed -16 [ 2389.217849][T11252] binder: BINDER_SET_CONTEXT_MGR already set [ 2389.238168][T11252] binder: 11251:11252 ioctl 40046207 0 returned -16 [ 2389.264234][T11254] binder_alloc: 11233: binder_alloc_buf, no vma [ 2389.286035][T11254] binder: 11251:11254 transaction failed 29189/-3, size 24-8 line 3147 [ 2389.310651][T11255] binder: 11251:11255 Release 1 refcount change on invalid ref 0 ret -22 [ 2390.099433][T11213] device sit0 left promiscuous mode [ 2390.116774][T12655] binder_release_work: 1 callbacks suppressed [ 2390.116781][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2390.142029][T11216] device sit0 entered promiscuous mode [ 2390.143387][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2390.159709][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2390.166175][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2390.178585][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2390.185604][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2390.197265][T11221] device sit0 left promiscuous mode [ 2390.197781][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2390.208869][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2390.221460][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2390.227883][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2390.238285][T12655] binder: send failed reply for transaction 1333 to 11233:11234 17:26:39 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r3, &(0x7f0000000240)={0x1, 0x4000000000005}, 0x2) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2390.248417][T12655] binder: undelivered TRANSACTION_COMPLETE 17:26:39 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r3, &(0x7f0000000240)={0x1, 0x4000000000005}, 0x2) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) signalfd4(r0, &(0x7f0000000000)={0x7}, 0x8, 0x80800) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) vmsplice(r1, &(0x7f0000000100)=[{&(0x7f0000000040)="1f2278fe3e15da4e773b48204c47d6f83e70026669fc3ea1a2074f8073bfa7ebd1fe509c1a8494991103345d6ea89365d911d002b753c420c0181fd950ea43f64c4bd232a37b099380469994dbd9ee96c552bc11e67733532a6a8cd7141a7e0c7b0774cbf95b555213fb1dda4f1542937f1f77b537d999dbb72d5f014c49a035b9778dfb741ea39cb762", 0x8a}], 0x1, 0x9) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x5, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x1c3, 0x0, 0x0}) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:39 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000100)='IPVS\x00') sendmsg$IPVS_CMD_SET_CONFIG(r0, &(0x7f0000000240)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000200)={&(0x7f0000000180)={0x44, r1, 0x400, 0x70bd2c, 0x25dfdbfe, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x100000001}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xc166}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'veth1_to_bridge\x00'}]}]}, 0x44}, 0x1, 0x0, 0x0, 0x10}, 0x800) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0xffffdfffffdfffff, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:39 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) setsockopt$inet_sctp6_SCTP_RECVRCVINFO(r2, 0x84, 0x20, &(0x7f0000000100)=0x4, 0x4) [ 2390.433741][T11224] device sit0 entered promiscuous mode [ 2390.459402][T11230] device sit0 left promiscuous mode [ 2390.551905][T11260] binder: 11259:11260 got transaction to context manager from process owning it [ 2390.609617][T11260] binder: 11259:11260 transaction failed 29201/-22, size 24-8 line 2985 [ 2390.645606][T11268] binder: 11259:11268 Release 1 refcount change on invalid ref 0 ret -22 [ 2390.714212][T11260] binder: 11259:11260 ioctl c0306201 200001c0 returned -14 [ 2390.787598][T11268] binder_alloc: binder_alloc_mmap_handler: 11259 20001000-20004000 already mapped failed -16 [ 2390.848072][T11260] binder: BINDER_SET_CONTEXT_MGR already set [ 2390.906443][T11260] binder: 11259:11260 ioctl 40046207 0 returned -16 [ 2390.906542][T11268] binder: 11259:11268 got transaction to context manager from process owning it [ 2390.973089][T11231] device sit0 entered promiscuous mode [ 2390.985648][T11268] binder: 11259:11268 transaction failed 29201/-22, size 24-8 line 2985 [ 2391.033702][T11268] binder: 11259:11268 ioctl c0306201 200001c0 returned -14 17:26:39 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r3, &(0x7f0000000240)={0x1, 0x4000000000005}, 0x2) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:39 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:39 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0xfffffffffffffffd) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="04000000"], 0x0, 0x0, 0x0}) [ 2391.255625][T11283] binder: BINDER_SET_CONTEXT_MGR already set [ 2391.345850][T11283] binder: 11282:11283 ioctl 40046207 0 returned -16 [ 2391.350049][T11286] binder_alloc: 11259: binder_alloc_buf, no vma [ 2391.358759][T11286] binder: 11282:11286 transaction failed 29189/-3, size 24-8 line 3147 [ 2391.392757][T11283] binder: 11282:11283 unknown command 4 [ 2391.425852][T11283] binder: 11282:11283 ioctl c0306201 20000380 returned -22 [ 2391.535842][T11286] binder_alloc: binder_alloc_mmap_handler: 11282 20001000-20004000 already mapped failed -16 [ 2391.564728][T11283] binder: BINDER_SET_CONTEXT_MGR already set [ 2391.582114][T11283] binder: 11282:11283 ioctl 40046207 0 returned -16 [ 2391.597758][T11257] device sit0 left promiscuous mode [ 2391.603109][T11290] binder_alloc: 11259: binder_alloc_buf, no vma [ 2391.622835][T11258] device sit0 entered promiscuous mode [ 2391.636997][T11290] binder: 11282:11290 transaction failed 29189/-3, size 24-8 line 3147 [ 2391.678863][T11267] device sit0 left promiscuous mode 17:26:40 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, &(0x7f0000000100)={0x0, 0x2b2}, &(0x7f0000000140)=0x8) setsockopt$inet_sctp6_SCTP_AUTH_KEY(r2, 0x84, 0x17, &(0x7f0000000180)={r4, 0x5, 0x16, "bf3cc4cbd11262f75bd0607c3d95b95e815339909b40"}, 0x1e) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:40 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r3, &(0x7f0000000240)={0x1, 0x4000000000005}, 0x2) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r3, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$SCSI_IOCTL_SYNC(0xffffffffffffffff, 0x4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:40 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0xfffffffffffffffc) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2391.851847][T11294] binder: BINDER_SET_CONTEXT_MGR already set [ 2391.894808][T11294] binder: 11293:11294 ioctl 40046207 0 returned -16 [ 2391.939152][T11294] binder: 11293:11294 Release 1 refcount change on invalid ref 0 ret -22 [ 2391.985147][T11301] binder_alloc: binder_alloc_mmap_handler: 11293 20001000-20004000 already mapped failed -16 [ 2392.000900][T11273] device sit0 entered promiscuous mode [ 2392.047788][T11294] binder: BINDER_SET_CONTEXT_MGR already set [ 2392.101260][T11294] binder: 11293:11294 ioctl 40046207 0 returned -16 [ 2392.101985][T11303] binder: 11293:11303 Release 1 refcount change on invalid ref 0 ret -22 17:26:40 executing program 3: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) openat$audio(0xffffffffffffff9c, 0x0, 0x8200, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) r2 = dup(r1) r3 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/userio\x00', 0x2, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r3, &(0x7f0000000240)={0x1, 0x4000000000005}, 0x2) setsockopt$CAIFSO_REQ_PARAM(r2, 0x116, 0x80, &(0x7f0000000280), 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:26:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x2, 0x2) r2 = getuid() r3 = getgid() getresuid(&(0x7f0000000040), &(0x7f0000000080), &(0x7f00000000c0)=0x0) lstat(&(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r6 = getuid() getgroups(0x7, &(0x7f0000000280)=[0xee01, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xee00]) r8 = geteuid() r9 = getegid() write$FUSE_DIRENTPLUS(r1, &(0x7f00000004c0)={0x2a0, 0xffffffffffffffda, 0x5, [{{0x4, 0x1, 0x4, 0x80, 0x6, 0x1f, {0x4, 0x5, 0x5, 0xffffffffffffffe1, 0x8, 0x20, 0x1, 0x0, 0x2, 0x5, 0x4, r2, r3, 0xe46, 0x1}}, {0x0, 0x58f, 0xb, 0x0, 'user#&em1lo'}}, {{0x6, 0x1, 0x0, 0x7, 0x8, 0x8000, {0x4, 0x9, 0x8, 0x2e, 0x101, 0x9, 0x6, 0x400000000000, 0x40, 0x825, 0xff, r4, r5, 0x4, 0x4}}, {0x0, 0x4, 0xd, 0xb313, '/dev/binder#\x00'}}, {{0x1, 0x2, 0x4, 0x4, 0x3, 0x7, {0x4, 0x4, 0x6, 0x100, 0x9, 0x3, 0x5, 0x0, 0x2, 0x0, 0x0, r6, r7, 0x8, 0x1}}, {0xffffffffffff41d7, 0x4, 0xd, 0x7, '/dev/binder#\x00'}}, {{0x0, 0x0, 0xffffffffd65920ea, 0x7fffffff, 0x8, 0x2, {0x5, 0xf4, 0x400, 0x100, 0x3ff, 0x5, 0x200, 0x0, 0x4, 0x9, 0x8, r8, r9, 0x6a, 0x4}}, {0x2, 0x325, 0x0, 0xffffffffffff248c}}]}, 0x2a0) r10 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r10, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r10, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="55fa31ede634a881"], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r10, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$swradio(&(0x7f0000000400)='/dev/swradio#\x00', 0x0, 0x2) write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f0000000440)={0x30, 0x5, 0x0, {0x0, 0x5, 0x5075c624, 0x5dc1}}, 0x30) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f00000004c0)=ANY=[@ANYRES64=r1, @ANYRESOCT=r0, @ANYRESDEC, @ANYRES32=r1, @ANYRES32=r0, @ANYRES32=r1, @ANYRESOCT=0x0, @ANYRES16=r2, @ANYRESHEX=r2], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) r3 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x1000, 0x80) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f0000000040)={0x0, @in={{0x2, 0x4e24, @initdev={0xac, 0x1e, 0x1, 0x0}}}, [0xa2, 0x8000, 0x6ae, 0xeb, 0xff, 0x2, 0x6, 0x7f, 0x0, 0x4, 0xffffffffffffffc1, 0x80000001, 0x51, 0xfffffffffffff801, 0x100000001]}, &(0x7f0000000140)=0x100) setsockopt$TIPC_GROUP_JOIN(r3, 0x10f, 0x87, &(0x7f00000002c0)={0x43, 0x4, 0x3}, 0x10) openat$apparmor_task_current(0xffffffffffffff9c, &(0x7f00000003c0)='/proc/self/attr/current\x00', 0x2, 0x0) getsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r3, 0x84, 0x22, &(0x7f0000000180)={0x4, 0x2, 0x81c, 0x1, r4}, &(0x7f0000000280)=0x10) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2392.478854][T11312] binder: BINDER_SET_CONTEXT_MGR already set [ 2392.509097][T11312] binder: 11311:11312 ioctl 40046207 0 returned -16 [ 2392.526503][T11313] binder: 11311:11313 Release 1 refcount change on invalid ref 0 ret -22 [ 2392.567713][T11314] binder_alloc: binder_alloc_mmap_handler: 11311 20001000-20004000 already mapped failed -16 [ 2392.606177][T11312] binder: BINDER_SET_CONTEXT_MGR already set [ 2392.608261][T11314] binder: 11311:11314 Release 1 refcount change on invalid ref 0 ret -22 [ 2392.645799][T11312] binder: 11311:11312 ioctl 40046207 0 returned -16 17:26:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2392.814742][T11316] binder: BINDER_SET_CONTEXT_MGR already set [ 2392.839289][T11316] binder: 11315:11316 ioctl 40046207 0 returned -16 [ 2392.874716][T11316] binder: BINDER_SET_CONTEXT_MGR already set [ 2392.897708][T11316] binder: 11315:11316 ioctl 40046207 0 returned -16 [ 2392.923498][T11317] binder: 11315:11317 Release 1 refcount change on invalid ref 0 ret -22 [ 2392.959489][T11317] binder_alloc: binder_alloc_mmap_handler: 11315 20001000-20004000 already mapped failed -16 [ 2392.994681][T11316] binder: BINDER_SET_CONTEXT_MGR already set [ 2393.015357][T11316] binder: 11315:11316 ioctl 40046207 0 returned -16 [ 2393.039314][T11318] binder: BINDER_SET_CONTEXT_MGR already set [ 2393.080424][T11318] binder: 11315:11318 ioctl 40046207 0 returned -16 [ 2394.087037][T11281] device sit0 left promiscuous mode [ 2394.283824][T11285] device sit0 entered promiscuous mode 17:26:43 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x940000) 17:26:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) r2 = getgid() stat(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) umount2(&(0x7f0000000180)='./file0\x00', 0xe) setregid(r2, r3) r4 = syz_open_dev$sndpcmp(&(0x7f00000000c0)='/dev/snd/pcmC#D#p\x00', 0x101, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x18, 0xfa00, {0x3, &(0x7f0000000100)={0xffffffffffffffff}, 0x117, 0x1009}}, 0x20) write$RDMA_USER_CM_CMD_ACCEPT(r4, &(0x7f00000004c0)={0x8, 0x120, 0xfa00, {0x2, {0x6, 0x80000001, "32ebc1e77a7fe42122199605ac48966863460b30efd1358b45886100e5b9e21cc4c72192be230865050b35df48205aff19fc823c3b0e59bbbbb3e0a3e57823b3008cf7ea78301691812fe2bd0139130399ee8fbe0b1420f3cd25890c03283f724fae243f371cd624b44aa4e9e83e7c7315652b934f56ea8957c40c97405147ca875edeb9c7c11682523d47b3e5239abc284e721017a5b7e63b91c41b5818ed8499127d595b7d1055b3715a634097e16778785d14e4f7cff3e4aadd8c147a15f170916f4db54d1e97f8a3def0024d2a8210b0dfed883509ea3dae526747e5a4e44a59fd52bf0319a956156e953d2e35c3e6caefea5a912b7284f7880bf442e4bb", 0x33, 0x15, 0x0, 0x6ea, 0x3, 0x2, 0x100000001}, r5}}, 0x128) 17:26:43 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:43 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) fsetxattr$trusted_overlay_redirect(r1, &(0x7f0000000100)='trusted.overlay.redirect\x00', &(0x7f0000000140)='./file0\x00', 0x8, 0x3) [ 2394.422432][T11324] binder_thread_write: 1 callbacks suppressed [ 2394.422448][T11324] binder: 11320:11324 Release 1 refcount change on invalid ref 0 ret -22 [ 2394.542089][T11330] binder_alloc: binder_alloc_mmap_handler: 11320 20001000-20004000 already mapped failed -16 [ 2394.587723][T11324] binder: BINDER_SET_CONTEXT_MGR already set [ 2394.620013][T11324] binder: 11320:11324 ioctl 40046207 0 returned -16 17:26:43 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$sock_inet_SIOCGIFBRDADDR(r0, 0x8919, &(0x7f0000000100)={'veth1\x00', {0x2, 0x4e23, @rand_addr=0x6}}) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2394.701598][T11335] binder_alloc_new_buf_locked: 8 callbacks suppressed [ 2394.701606][T11335] binder_alloc: 11320: binder_alloc_buf, no vma [ 2394.746776][T11324] binder: 11320:11324 Release 1 refcount change on invalid ref 0 ret -22 [ 2394.776651][T11335] binder_transaction: 8 callbacks suppressed [ 2394.776669][T11335] binder: 11320:11335 transaction failed 29189/-3, size 24-8 line 3147 [ 2396.543344][T11297] device sit0 left promiscuous mode [ 2396.552594][T12655] binder_release_work: 14 callbacks suppressed [ 2396.552601][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2396.573500][T11299] device sit0 entered promiscuous mode [ 2396.579199][T12655] binder: send failed reply for transaction 1361 to 11320:11324 [ 2396.594226][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2396.608526][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:26:45 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r2 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x1, 0x20011, r0, 0x0) r2 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x400000, 0x0) r3 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000080)='TIPCv2\x00') ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8914, &(0x7f0000000440)={'eql\x00', 0x4000}) sendmsg$TIPC_NL_MEDIA_GET(r2, &(0x7f00000002c0)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x108}, 0xc, &(0x7f0000000280)={&(0x7f00000000c0)={0xd4, r3, 0x800, 0x70bd26, 0x25dfdbfc, {}, [@TIPC_NLA_NET={0x24, 0x7, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x1}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x100000001}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x5}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x5}]}, @TIPC_NLA_NET={0x24, 0x7, [@TIPC_NLA_NET_NODEID={0xc, 0x3, 0x24e3}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x8401}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x2}]}, @TIPC_NLA_SOCK={0xc, 0x2, [@TIPC_NLA_SOCK_REF={0x8, 0x2, 0x7}]}, @TIPC_NLA_MEDIA={0x6c, 0x5, [@TIPC_NLA_MEDIA_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x80000000000}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xe}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_PROP={0x44, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x8}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x800}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xd6}]}]}]}, 0xd4}, 0x1, 0x0, 0x0, 0x4080}, 0x20008040) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$int_in(r2, 0x5421, &(0x7f0000000400)=0x3ff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r4 = getpid() syz_open_procfs(r4, &(0x7f00000003c0)='clear_refs\x00') ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2396.635000][T11306] device sit0 left promiscuous mode 17:26:45 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2396.721873][T11341] binder_alloc: 11340: binder_alloc_buf, no vma [ 2396.748402][T11341] binder: 11340:11341 transaction failed 29189/-3, size 24-8 line 3147 [ 2396.795405][T11341] binder: 11340:11341 Release 1 refcount change on invalid ref 0 ret -22 [ 2396.860698][T11344] binder: BINDER_SET_CONTEXT_MGR already set [ 2396.891238][T11347] binder_alloc: 11340: binder_alloc_buf, no vma [ 2396.900457][T11348] binder: 11340:11348 Release 1 refcount change on invalid ref 0 ret -22 [ 2396.930317][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 [ 2396.937162][T11344] binder: 11340:11344 ioctl 40046207 0 returned -16 [ 2396.960890][T11347] binder: 11340:11347 transaction failed 29189/-3, size 24-8 line 3147 [ 2397.038318][T11309] device sit0 entered promiscuous mode [ 2397.045004][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:26:46 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x740000) 17:26:46 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x3f) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000100)='/dev/vbi#\x00', 0x3, 0x2) alarm(0x7) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x2) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x6) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:46 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(r0, 0x0, 0x80000, 0x2) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f00008b6000/0x18000)=nil, 0x0, 0x0, 0x62, 0x0, 0x0) 17:26:46 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) fsetxattr$trusted_overlay_redirect(r1, &(0x7f0000000100)='trusted.overlay.redirect\x00', &(0x7f0000000140)='./file0\x00', 0x8, 0x3) 17:26:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000000)={0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0xfe9c, 0x0, &(0x7f0000000100)=[@exit_looper, @reply={0x40406301, {0x4, 0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)=[@flat={0x77622a85, 0xa, r2, 0x2}, @fda={0x66646185, 0x5, 0x2, 0x3d}, @fd={0x66642a85, 0x0, r1, 0x0, 0x3}], &(0x7f00000000c0)=[0x48, 0x18, 0x28]}}, @acquire={0x40046305, 0x1}, @acquire_done={0x40106309, r2, 0x1}, @clear_death={0x400c630f, 0x4, 0x3}], 0x2a, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000180)=ANY=[@ANYRESHEX=0x0], 0x7d, 0x0, 0x0}) [ 2397.270278][T11354] binder: 11352:11354 got reply transaction with no transaction stack [ 2397.322818][T11354] binder: 11352:11354 transaction failed 29201/-71, size 0-0 line 2899 [ 2397.387436][T11362] binder: 11352:11362 unknown command 808482864 [ 2397.429484][T11362] binder: 11352:11362 ioctl c0306201 20000380 returned -22 [ 2397.490925][T11354] binder: 11352:11354 ioctl c0306201 200001c0 returned -14 [ 2397.547581][T11362] binder_alloc: binder_alloc_mmap_handler: 11352 20001000-20004000 already mapped failed -16 [ 2397.632858][T11354] binder: 11352:11354 got reply transaction with no transaction stack [ 2397.633878][T11367] binder: 11352:11367 unknown command 808482864 17:26:46 executing program 2: ioctl$IOC_PR_PREEMPT(0xffffffffffffffff, 0x401870cb, &(0x7f0000000200)={0x200}) pselect6(0x40, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2397.690693][T11354] binder: 11352:11354 transaction failed 29201/-71, size 0-0 line 2899 [ 2397.701412][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 [ 2397.723054][T11354] binder: 11352:11354 ioctl c0306201 200001c0 returned -14 [ 2397.743193][T11367] binder: 11352:11367 ioctl c0306201 20000380 returned -22 17:26:46 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) setsockopt$IP_VS_SO_SET_ADDDEST(r0, 0x0, 0x487, &(0x7f0000000140)={{0x2c, @initdev={0xac, 0x1e, 0x0, 0x0}, 0x4e22, 0x4, 'none\x00', 0x6, 0xd3, 0x2c}, {@local, 0x4e22, 0x0, 0x6, 0x6, 0x5}}, 0x44) ioctl$DRM_IOCTL_INFO_BUFS(r0, 0xc0106418, &(0x7f0000000100)={0x1, 0xb79, 0x40, 0x20, 0x11, 0x8}) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) rt_sigaction(0x2a, &(0x7f0000000280)={&(0x7f00000001c0)="c4e16915e2c4027d5a3ac4a3455c72008c3e660f38dee34f0fae899d15b940c4217e70ab424b0000e00f01d88fe97812c3c4637d1db20293d4205ac4036944f98f", {0x6}, 0x40000006, &(0x7f0000000240)="3e40d8dcc421ff124194c46251bf674466450fd5cac4211c5700c4c1c65325fac5000040debb0e000000450f8cf9ffff7f460fcd2e64673e66660fe55ae8"}, &(0x7f0000000340)={&(0x7f00000002c0)="0f01d6c4010dfc11670f65e3f2420f5d0c3f8f897c806871420fa1c4a2359aeec4c29bf5a300100000450fc5fe00f246a7", {}, 0x0, &(0x7f0000000300)="d9ca47d9ec67660f552bc402fd339d59a49180c403257eb394ac00000fc482899eb100000000440fc232ae3e470f4d79fe262e26646440ca8a7ac4e27d0e0a"}, 0x8, &(0x7f0000000380)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) ioctl$KVM_KVMCLOCK_CTRL(r2, 0xaead) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:46 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x740000) 17:26:46 executing program 2: ioctl$IOC_PR_PREEMPT(0xffffffffffffffff, 0x401870cb, &(0x7f0000000200)={0x200}) pselect6(0x40, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2397.807222][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 17:26:46 executing program 5: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:46 executing program 2: ioctl$IOC_PR_PREEMPT(0xffffffffffffffff, 0x401870cb, &(0x7f0000000200)={0x200}) pselect6(0x40, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:26:48 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0x0, 0x3) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0xfffffffffffffd56, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="1112a143bbdbe6d92bb7590663c4b9"], 0x0, 0x0, 0x0}) r2 = syz_open_dev$sndpcmp(&(0x7f0000000040)='/dev/snd/pcmC#D#p\x00', 0x6, 0x8080) write$ppp(r2, &(0x7f0000000080)="e588796c4dcee5df00ba01624cffb1a80c62ce901efd2b284ddf7c6a0eebfef80fba8a32cffbe1126c2745b4274a4821f7a0e30310418680a912ba258b4c1f4e542111b82d79a46a5f1d513c759180b2fcec464a22a0848bf986abbc4478f849f74cf3ed4d1ce49c", 0x68) 17:26:48 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) syz_kvm_setup_cpu$x86(r3, r2, &(0x7f0000bf5000/0x18000)=nil, &(0x7f0000000140)=[@textreal={0x8, &(0x7f0000000100)="66b9800000c00f326635008000000f30ba2100ed2e2e0f75a30872660f38336d1b67260f32660f71d70c0f01d12ef4f30fe68f04000f32", 0x37}], 0x1, 0x1, &(0x7f0000000180)=[@efer={0x2, 0x1000}], 0x1) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:48 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x4b160000, 0x0, 0xa0008000) 17:26:48 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x740000) [ 2399.541898][T11386] binder: 11385:11386 got transaction with invalid offset (0, min 0 max 24) or object. 17:26:48 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) pwritev(r0, &(0x7f0000000240)=[{&(0x7f0000000140)="7d085a8e92d526b38fc0e063693dd87e5b67b6bf15222115367ded8b8cbbbd5168fe824f5f84c4d8ea44dc657e5f90f082056eecd6f61a56", 0x38}, {&(0x7f0000000180)="bc2f4d039fed6053198c48f33d72eec554cd4e69f7f7eeede3c17cf492a15ccd585cc4a0dad9a9fec3d31f46a5764eeec151444df076", 0x36}, {&(0x7f00000001c0)="6adfa7d9a9f61bc11818f077d4a34d7f4b8607f1cf57d9175fac", 0x1a}, {&(0x7f0000000200)="78f583068485d15c528439b644892ddfb318", 0x12}], 0x4, 0x0) getgroups(0x2, &(0x7f00000000c0)=[0xee00, 0xee01]) fstat(r3, &(0x7f0000000340)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setgroups(0x2, &(0x7f00000002c0)=[r4, r5]) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TIOCCBRK(r3, 0x5428) faccessat(r1, &(0x7f0000000100)='./file0\x00', 0x80, 0x100) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r6 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) pipe2(&(0x7f0000000280), 0x84000) syz_kvm_setup_cpu$x86(r6, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0xffffffffffffff9a, 0x10, 0x0, 0xfffffffffffffe49) [ 2399.584197][T11386] binder: 11385:11386 transaction failed 29201/-22, size 24-8 line 3241 [ 2399.643540][T11394] binder_alloc: binder_alloc_mmap_handler: 11385 20001000-20004000 already mapped failed -16 [ 2399.707534][T11386] binder: BINDER_SET_CONTEXT_MGR already set [ 2399.761109][T11386] binder: 11385:11386 ioctl 40046207 0 returned -16 [ 2399.765235][T11400] binder_alloc: 11385: binder_alloc_buf, no vma 17:26:48 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x20000000, 0x0, 0xa0008000) [ 2399.897713][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 [ 2399.911298][T11400] binder: 11385:11400 transaction failed 29189/-3, size 24-8 line 3147 [ 2399.998172][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:26:48 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x0, 0x13, r1, 0x0) fsetxattr$security_selinux(r1, &(0x7f0000000000)='security.selinux\x00', &(0x7f0000000040)='system_u:object_r:var_lib_t:s0\x00', 0x1f, 0x1) r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/autofs\x00', 0x200, 0x0) ioctl$KDGETKEYCODE(r2, 0x4b4c, &(0x7f00000000c0)={0x74d1, 0x3}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:48 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2400.195676][T11411] binder: 11410:11411 Release 1 refcount change on invalid ref 0 ret -22 17:26:49 executing program 4: r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000140)='/proc/self/net/pfkey\x00', 0x103100, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x20000000000000, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x4080, 0x400}, 0x0, 0xffffffffffffffff, r0, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r3 = accept4$unix(r1, &(0x7f0000000180)=@abs, &(0x7f0000000200)=0x6e, 0x800) epoll_ctl$EPOLL_CTL_DEL(r0, 0x2, r3) r4 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r5 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(r4, 0x800c6613, &(0x7f0000000100)={0x0, @speck128, 0x2, "de81b98cf3df0480"}) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r6 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r5, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:49 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2400.258298][T11417] binder_alloc: binder_alloc_mmap_handler: 11410 20ffd000-20fff000 already mapped failed -16 17:26:49 executing program 2: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) pwritev(r0, &(0x7f0000000240)=[{&(0x7f0000000140)="7d085a8e92d526b38fc0e063693dd87e5b67b6bf15222115367ded8b8cbbbd5168fe824f5f84c4d8ea44dc657e5f90f082056eecd6f61a56", 0x38}, {&(0x7f0000000180)="bc2f4d039fed6053198c48f33d72eec554cd4e69f7f7eeede3c17cf492a15ccd585cc4a0dad9a9fec3d31f46a5764eeec151444df076", 0x36}, {&(0x7f00000001c0)="6adfa7d9a9f61bc11818f077d4a34d7f4b8607f1cf57d9175fac", 0x1a}, {&(0x7f0000000200)="78f583068485d15c528439b644892ddfb318", 0x12}], 0x4, 0x0) getgroups(0x2, &(0x7f00000000c0)=[0xee00, 0xee01]) fstat(r3, &(0x7f0000000340)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) setgroups(0x2, &(0x7f00000002c0)=[r4, r5]) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TIOCCBRK(r3, 0x5428) faccessat(r1, &(0x7f0000000100)='./file0\x00', 0x80, 0x100) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r6 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) pipe2(&(0x7f0000000280), 0x84000) syz_kvm_setup_cpu$x86(r6, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0xffffffffffffff9a, 0x10, 0x0, 0xfffffffffffffe49) [ 2400.363768][T11417] binder: BINDER_SET_CONTEXT_MGR already set [ 2400.392253][T11417] binder: 11410:11417 ioctl 40046207 0 returned -16 [ 2400.435803][T11411] binder_alloc: 11410: binder_alloc_buf, no vma [ 2400.450390][T11422] binder: 11410:11422 Release 1 refcount change on invalid ref 0 ret -22 [ 2400.468344][ T2678] binder: release 11410:11411 transaction 1375 out, still active 17:26:49 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2400.484638][ T2678] binder: unexpected work type, 4, not freed [ 2400.502164][T11411] binder: 11410:11411 transaction failed 29189/-3, size 24-8 line 3147 [ 2400.513946][ T2678] binder: undelivered TRANSACTION_COMPLETE [ 2400.548035][ T2678] binder: send failed reply for transaction 1375, target dead [ 2400.590926][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:26:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000005000/0x4000)=nil, 0x4000, 0x8, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:49 executing program 0: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) syz_open_dev$audion(&(0x7f00000000c0)='/dev/audio#\x00', 0x6, 0x2000) ioctl$DRM_IOCTL_GEM_OPEN(r1, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) fcntl$setflags(r0, 0x2, 0x1) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) setsockopt$inet6_tcp_TCP_ULP(r1, 0x6, 0x1f, &(0x7f0000000000)='tls\x00', 0x4) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) connect$tipc(0xffffffffffffffff, &(0x7f0000000180)=@nameseq={0x1e, 0x1, 0x3, {0x40, 0x0, 0x4}}, 0x10) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:49 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) sync() ioctl$KVM_PPC_GET_PVINFO(r2, 0x4080aea1, &(0x7f0000000100)=""/7) 17:26:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x0, 0x13, r1, 0x0) fsetxattr$security_selinux(r1, &(0x7f0000000000)='security.selinux\x00', &(0x7f0000000040)='system_u:object_r:var_lib_t:s0\x00', 0x1f, 0x1) r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/autofs\x00', 0x200, 0x0) ioctl$KDGETKEYCODE(r2, 0x4b4c, &(0x7f00000000c0)={0x74d1, 0x3}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:49 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) ioctl(0xffffffffffffffff, 0x2000c2604110, &(0x7f0000000000)) [ 2400.769476][T11432] binder: 11429:11432 got transaction to context manager from process owning it [ 2400.837638][T11432] binder: 11429:11432 transaction failed 29201/-22, size 24-8 line 2985 17:26:49 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x9000000, 0x0, 0xa0008000) 17:26:49 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) ioctl(0xffffffffffffffff, 0x2000c2604110, &(0x7f0000000000)) [ 2400.893524][T11439] binder: 11429:11439 Release 1 refcount change on invalid ref 0 ret -22 17:26:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x0, 0x13, r1, 0x0) fsetxattr$security_selinux(r1, &(0x7f0000000000)='security.selinux\x00', &(0x7f0000000040)='system_u:object_r:var_lib_t:s0\x00', 0x1f, 0x1) r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/autofs\x00', 0x200, 0x0) ioctl$KDGETKEYCODE(r2, 0x4b4c, &(0x7f00000000c0)={0x74d1, 0x3}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2400.955760][T11432] binder: BINDER_SET_CONTEXT_MGR already set [ 2401.017313][T12655] binder: undelivered TRANSACTION_ERROR: 29201 [ 2401.031082][T11432] binder: 11429:11432 ioctl 40046207 0 returned -16 17:26:49 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) ioctl(0xffffffffffffffff, 0x2000c2604110, &(0x7f0000000000)) 17:26:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0x0, 0x204) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0xff, 0x0) setsockopt$inet6_opts(r2, 0x29, 0x3f, &(0x7f0000000040)=@hopopts={0x6, 0x8, [], [@pad1, @enc_lim={0x4, 0x1, 0x5}, @calipso={0x7, 0x38, {0x7, 0xc, 0xd9, 0x5e58, [0xc3b, 0x2, 0x2, 0x6, 0x800, 0x1]}}]}, 0x48) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000140)=ANY=[@ANYBLOB="0063404000000000000000000000000000000000001cb3de16992ff600000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$PPPIOCCONNECT(r2, 0x4004743a, &(0x7f00000000c0)=0x3) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x0, 0x13, r1, 0x0) fsetxattr$security_selinux(r1, &(0x7f0000000000)='security.selinux\x00', &(0x7f0000000040)='system_u:object_r:var_lib_t:s0\x00', 0x1f, 0x1) r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/autofs\x00', 0x200, 0x0) ioctl$KDGETKEYCODE(r2, 0x4b4c, &(0x7f00000000c0)={0x74d1, 0x3}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:50 executing program 3: r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2401.298697][T11454] binder_alloc: 11453: binder_alloc_buf size 2305843009213693952 failed, no address space [ 2401.337990][T11454] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) 17:26:50 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r1, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x500180de7f0000, 0x0, 0x375) [ 2401.359259][T11454] binder: 11453:11454 transaction failed 29201/-28, size 1729382256910270464-576460752303423488 line 3147 [ 2401.442077][T11460] binder: 11453:11460 Release 1 refcount change on invalid ref 0 ret -22 [ 2401.494956][T11457] binder_alloc: binder_alloc_mmap_handler: 11453 20001000-20004000 already mapped failed -16 [ 2401.525376][T11454] binder: BINDER_SET_CONTEXT_MGR already set 17:26:50 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xfffe) 17:26:50 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_SET_DEVICE_ATTR(r0, 0x4018aee1, &(0x7f0000000140)={0x0, 0x8, 0x3, &(0x7f0000000100)=0x2}) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:50 executing program 3: r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2401.543962][T11454] binder: 11453:11454 ioctl 40046207 0 returned -16 17:26:50 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x9400) [ 2401.616248][T11457] binder_alloc: 11453: binder_alloc_buf, no vma [ 2401.616535][T11470] binder: 11453:11470 Release 1 refcount change on invalid ref 0 ret -22 17:26:50 executing program 3: r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2401.658044][T11457] binder: 11453:11457 transaction failed 29189/-3, size 1729382256910270464-576460752303423488 line 3147 17:26:50 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$UI_ABS_SETUP(r2, 0x401c5504, &(0x7f0000000100)={0x4, {0x1, 0x0, 0x17, 0x5, 0x7, 0x800}}) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:50 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xfffe) 17:26:50 executing program 3: pselect6(0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x8}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:26:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x2, 0x10, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) ioctl$TUNSETNOCSUM(0xffffffffffffffff, 0x400454c8, 0x1) 17:26:50 executing program 3: pselect6(0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x8}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2402.000087][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 [ 2402.038639][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 17:26:50 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0xfffe) 17:26:50 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) munmap(&(0x7f0000ffb000/0x4000)=nil, 0x4000) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$DRM_IOCTL_RM_MAP(r0, 0x4028641b, &(0x7f0000000180)={&(0x7f00002a2000/0x3000)=nil, 0x6, 0x1, 0x0, &(0x7f0000048000/0x4000)=nil, 0x1ff}) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:50 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x7400) [ 2402.204932][T11490] binder: 11488:11490 transaction failed 29189/-22, size 24-8 line 2994 17:26:51 executing program 3: pselect6(0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x8}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:26:51 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) getsockopt$inet_sctp_SCTP_NODELAY(r0, 0x84, 0x3, &(0x7f0000000100), &(0x7f0000000140)=0x4) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2402.312011][T11490] binder: 11488:11490 transaction failed 29189/-22, size 24-8 line 2994 [ 2402.425430][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2402.435894][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:26:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x20000000000, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) r2 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000280)='/dev/qat_adf_ctl\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(0xffffffffffffffff, 0x84, 0x7c, &(0x7f0000000040)={0x0, 0x1, 0x9}, &(0x7f0000000080)=0x8) getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f00000000c0)={r3, @in={{0x2, 0x4e24, @empty}}, 0x8001, 0x8, 0x7, 0x6, 0x48}, &(0x7f0000000180)=0x98) 17:26:51 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:26:51 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$UI_ABS_SETUP(r2, 0x401c5504, &(0x7f0000000100)={0x4, {0x1, 0x0, 0x17, 0x5, 0x7, 0x800}}) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2402.562365][T11508] binder_alloc: 11505: binder_alloc_buf, no vma [ 2402.586077][T11508] binder: 11505:11508 transaction failed 29189/-3, size 24-8 line 3147 [ 2402.632312][T11511] binder: 11505:11511 Release 1 refcount change on invalid ref 0 ret -22 17:26:51 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) ioctl$UI_SET_ABSBIT(r0, 0x40045567, 0x4) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r1 = syz_genetlink_get_family_id$tipc(&(0x7f00000001c0)='TIPC\x00') sendmsg$TIPC_CMD_SET_LINK_TOL(r0, &(0x7f0000000280)={&(0x7f0000000180), 0xc, &(0x7f0000000240)={&(0x7f00000002c0)=ANY=[@ANYBLOB='0\x00\x00\x00', @ANYRES16=r1, @ANYBLOB="000328bd7000fedbdf25010000000000000007410000001400180010ffd0e90f707a3244e4ba1200000000"], 0x30}, 0x1, 0x0, 0x0, 0x20000000}, 0x41) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r2, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$SG_GET_LOW_DMA(r0, 0x227a, &(0x7f0000000100)) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) accept4$alg(r0, 0x0, 0x0, 0x800) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) getdents(r0, &(0x7f0000000140)=""/46, 0x2e) r4 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:51 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:26:51 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2402.728462][T11508] binder: BINDER_SET_CONTEXT_MGR already set [ 2402.765463][T11508] binder: 11505:11508 ioctl 40046207 0 returned -16 [ 2402.821765][T11511] binder_alloc: 11505: binder_alloc_buf, no vma [ 2402.821836][T11520] binder: 11505:11520 Release 1 refcount change on invalid ref 0 ret -22 [ 2402.861927][T11511] binder: 11505:11511 transaction failed 29189/-3, size 24-8 line 3147 17:26:51 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:26:51 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:51 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$UI_ABS_SETUP(r2, 0x401c5504, &(0x7f0000000100)={0x4, {0x1, 0x0, 0x17, 0x5, 0x7, 0x800}}) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2402.987390][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:26:51 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) getrlimit(0x7, &(0x7f0000000100)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:51 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:26:51 executing program 5: r0 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x4002, 0x0) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(0xffffffffffffff9c, 0x84, 0x6d, &(0x7f00000003c0)=ANY=[@ANYRES32=0x0, @ANYBLOB="9e00000046560dc3853d579bc281add8816776b0b3d79d93bc67c265eee8da4a6996773ce405fc4930f5792508d802b7050afcc45b04e67f71e4f53c0a47752ff2eaf89319f76b208a1ed15f451ba58aac9179ca9bbeb5724a07a0ef9431ed8fa8f147488c13101f24e037f6fc8a8ba968c63499e8d9965765bac396f40fb3f2743c349d263b0c532bf85e953fadb83d3f012203c38732afa02c2581cb604f17e98710bb300163391331a67a2572"], &(0x7f0000000100)=0xa6) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, &(0x7f0000000140)={r1, 0xb564}, &(0x7f0000000180)=0x8) r2 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x0, 0x20010, r3, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2403.193467][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:26:52 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$UI_ABS_SETUP(r2, 0x401c5504, &(0x7f0000000100)={0x4, {0x1, 0x0, 0x17, 0x5, 0x7, 0x800}}) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:52 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:26:52 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2403.332395][T11543] binder_alloc: 11542: binder_alloc_buf, no vma [ 2403.415096][T11543] binder: 11542:11543 transaction failed 29189/-3, size 24-8 line 3147 [ 2403.430568][T11548] binder: 11542:11548 Release 1 refcount change on invalid ref 0 ret -22 17:26:52 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2403.524998][T11554] binder: BINDER_SET_CONTEXT_MGR already set [ 2403.560520][T11554] binder: 11542:11554 ioctl 40046207 0 returned -16 [ 2403.567447][T11543] binder_alloc: 11542: binder_alloc_buf, no vma [ 2403.570501][T11548] binder: 11542:11548 Release 1 refcount change on invalid ref 0 ret -22 17:26:52 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f0000000100)={0x0, 0x1, 0x30, 0x8, 0x1}, &(0x7f0000000140)=0x18) getsockopt$inet_sctp_SCTP_DELAYED_SACK(r2, 0x84, 0x10, &(0x7f0000000180)=@sack_info={r3, 0x800, 0x2}, &(0x7f00000001c0)=0xc) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r4 = syz_open_dev$vbi(&(0x7f0000000200)='/dev/vbi#\x00', 0x0, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2403.628226][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:26:52 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:52 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100), 0x8}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2403.815647][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:26:52 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="5303d457eb833665cbdfeda0558933bddaadc7683084e6460e2fd0f3b04d9b34bef8e9f3f9a2"], 0x0, 0x0, 0x0}) 17:26:52 executing program 0: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r3 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r3, 0x84, 0xd, 0x0, 0x0) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) r5 = syz_open_dev$usbmon(&(0x7f0000000180)='/dev/usbmon#\x00', 0x40, 0x20302) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) ioctl$VIDIOC_S_FREQUENCY(r1, 0x402c5639, &(0x7f0000000140)={0x7fff, 0x2, 0xc8}) setsockopt$inet6_tcp_TLS_RX(r5, 0x6, 0x2, &(0x7f0000000200), 0x4) r6 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) fsetxattr$security_smack_transmute(r0, &(0x7f0000000240)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000280)='TRUE', 0x4, 0x2) syz_kvm_setup_cpu$x86(r4, r7, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) ioctl$SIOCAX25GETINFOOLD(r5, 0x89e9, &(0x7f00000001c0)) ioctl$VIDIOC_ENUM_FMT(r4, 0xc0405602, &(0x7f0000000100)={0x1, 0xb, 0x1, "eb30c6f3586fc93ca606fa0258ef501c4d872b320719febccd55bc386d3504e4", 0x56595559}) 17:26:52 executing program 4: socket$inet6_sctp(0xa, 0x1, 0x84) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) symlink(&(0x7f0000000100)='./file0\x00', &(0x7f0000000140)='./file0\x00') mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) connect$unix(r3, &(0x7f0000000240)=@abs={0x0, 0x0, 0x4e22}, 0x6e) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r2, 0x84, 0xa, &(0x7f0000000180)={0x4, 0xb5c3, 0x206, 0x6, 0x10000, 0x2, 0x975, 0x7fff, 0x0}, &(0x7f00000001c0)=0x20) setsockopt$inet_sctp_SCTP_PR_SUPPORTED(r2, 0x84, 0x71, &(0x7f0000000200)={r6, 0xc6f}, 0x8) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:52 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) getrlimit(0x7, &(0x7f0000000100)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2404.101968][T11571] binder: 11570:11571 unknown command 1473512275 [ 2404.136729][T11571] binder: 11570:11571 ioctl c0306201 20000380 returned -22 [ 2404.175303][T11574] binder_alloc: binder_alloc_mmap_handler: 11570 20001000-20004000 already mapped failed -16 [ 2404.208753][T11571] binder: BINDER_SET_CONTEXT_MGR already set [ 2404.258190][T11571] binder: 11570:11571 ioctl 40046207 0 returned -16 [ 2404.336280][T11580] binder_alloc: 11570: binder_alloc_buf, no vma [ 2404.344584][ T2678] binder: send failed reply for transaction 1393 to 11570:11571 [ 2404.374910][ T2678] binder: undelivered TRANSACTION_COMPLETE 17:26:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000000)=0x0) fcntl$lock(r0, 0x0, &(0x7f0000000040)={0x2, 0x7, 0x100000001, 0x7, r2}) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2404.404567][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 [ 2404.437817][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:26:53 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) getrlimit(0x7, &(0x7f0000000100)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:53 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x940000, 0x0, 0xa0008000) 17:26:53 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100), 0x8}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2404.581142][T11585] binder: 11584:11585 Release 1 refcount change on invalid ref 0 ret -22 [ 2404.662402][T11585] binder: BINDER_SET_CONTEXT_MGR already set 17:26:53 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) stat(&(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={0x0, 0x0, 0x0, 0x0, 0x0}) ioprio_set$uid(0x3, r3, 0x5) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2404.733246][T12655] binder: release 11584:11585 transaction 1398 out, still active [ 2404.746725][T11585] binder: 11584:11585 ioctl 40046207 0 returned -16 [ 2404.763684][T12655] binder: unexpected work type, 4, not freed 17:26:53 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$UI_END_FF_UPLOAD(r0, 0x406855c9, &(0x7f0000000140)={0x3, 0x24, {0x55, 0xff, 0x2, {0x9, 0x7f}, {0x10001, 0xfffffffffffffffd}, @const={0xfffffffffffffffd, {0x4b3, 0x3f, 0x100000000, 0x4}}}, {0x0, 0x100, 0x9, {0xed4, 0x100}, {0x7f, 0x186f7baf}, @period={0x5b, 0x1ff, 0xc92, 0x0, 0x100000000, {0x800, 0x40, 0x1, 0x8}, 0x1, &(0x7f0000000100)=[0x3ff]}}}) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vfio/vfio\x00', 0x2, 0x0) ioctl$PPPIOCGUNIT(r2, 0x80047456, &(0x7f0000000040)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2404.815134][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2404.845767][T12655] binder: send failed reply for transaction 1398, target dead 17:26:53 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) getrlimit(0x7, &(0x7f0000000100)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2404.971250][T11604] binder_alloc: binder_alloc_mmap_handler: 11600 20001000-20004000 already mapped failed -16 [ 2405.016804][T11603] binder: BINDER_SET_CONTEXT_MGR already set [ 2405.057348][T11603] binder: 11600:11603 ioctl 40046207 0 returned -16 [ 2405.154329][T11610] binder_alloc: 11600: binder_alloc_buf, no vma [ 2405.181210][T11610] binder_transaction: 2 callbacks suppressed [ 2405.181228][T11610] binder: 11600:11610 transaction failed 29189/-3, size 24-8 line 3147 [ 2405.268317][ T2678] binder: release 11600:11603 transaction 1402 out, still active [ 2405.277519][T11603] binder_thread_write: 2 callbacks suppressed [ 2405.277534][T11603] binder: 11600:11603 Release 1 refcount change on invalid ref 0 ret -22 [ 2405.301284][ T2678] binder: unexpected work type, 4, not freed 17:26:54 executing program 1: socket$inet6_sctp(0xa, 0x1, 0x84) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) symlink(&(0x7f0000000100)='./file0\x00', &(0x7f0000000140)='./file0\x00') mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) connect$unix(r3, &(0x7f0000000240)=@abs={0x0, 0x0, 0x4e22}, 0x6e) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r2, 0x84, 0xa, &(0x7f0000000180)={0x4, 0xb5c3, 0x206, 0x6, 0x10000, 0x2, 0x975, 0x7fff, 0x0}, &(0x7f00000001c0)=0x20) setsockopt$inet_sctp_SCTP_PR_SUPPORTED(r2, 0x84, 0x71, &(0x7f0000000200)={r6, 0xc6f}, 0x8) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:54 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2405.319534][ T2678] binder: undelivered TRANSACTION_COMPLETE [ 2405.332474][ T2678] binder: send failed reply for transaction 1402, target dead 17:26:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x3b5, 0x0, 0x0}) 17:26:54 executing program 0: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$mouse(&(0x7f0000000140)='/dev/input/mouse#\x00', 0x0, 0x6a0301eefa836da7) ioctl$KVM_ENABLE_CAP(r1, 0x4068aea3, &(0x7f0000000180)={0x7d, 0x0, [0x8000, 0x0, 0x5]}) r2 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000100)=0x5) r4 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r5 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000ffa000/0x3000)=nil, 0x3000, 0xfffffffffffffffc, 0x100150, r2, 0x0) openat$nullb(0xffffffffffffff9c, &(0x7f0000000200)='/dev/nullb0\x00', 0x210440, 0x0) ioctl$TCGETS(r2, 0x5401, &(0x7f0000000040)) write$RDMA_USER_CM_CMD_CREATE_ID(r5, &(0x7f0000000380)={0x0, 0x18, 0xfa00, {0x1, &(0x7f0000000340)={0xffffffffffffffff}, 0x2}}, 0x20) write$RDMA_USER_CM_CMD_MIGRATE_ID(r1, &(0x7f00000003c0)={0x12, 0x10, 0xfa00, {&(0x7f0000000300), r6, r4}}, 0x18) syz_open_dev$admmidi(&(0x7f0000000240)='/dev/admmidi#\x00', 0x9, 0x488080) r7 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) ioctl$SNDRV_TIMER_IOCTL_INFO(r5, 0x80e85411, &(0x7f0000000280)=""/122) ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r2, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 17:26:54 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r2, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:54 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100), 0x8}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2405.513890][T11619] binder: 11617:11619 Release 1 refcount change on invalid ref 0 ret -22 [ 2405.581202][T11619] binder: 11617:11619 ioctl c0306201 20000380 returned -14 [ 2405.631081][T11626] binder_alloc: binder_alloc_mmap_handler: 11617 20001000-20004000 already mapped failed -16 17:26:54 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2405.694635][T11619] binder: BINDER_SET_CONTEXT_MGR already set 17:26:54 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x1650) [ 2405.741908][T11619] binder: 11617:11619 ioctl 40046207 0 returned -16 [ 2405.768249][T11632] binder_alloc: 11617: binder_alloc_buf, no vma [ 2405.816064][T11632] binder: 11617:11632 transaction failed 29189/-3, size 24-8 line 3147 [ 2405.834492][ T2678] binder: send failed reply for transaction 1407 to 11617:11619 [ 2405.873268][ T2678] binder: undelivered TRANSACTION_COMPLETE 17:26:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:54 executing program 0: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f0000f52000/0x1000)=nil, 0x1000, 0x0, 0x31, r0, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r3 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) setsockopt$inet_buf(r3, 0x0, 0x3f, &(0x7f00000001c0)="0a8535355e517f3736a3ed6e942432400bf7f0ae0d1443961615811259c39ef442eade928c18354435c157b6e66a4dccdc723af3aadfa4149e6e90a3e312e6ca2e7060a80f5710eea83df2e968610c29f826234f16775c29d97b4a7e5cadbacf9b86c71237b3f04ccc58257e2107b310c1143caf39f7740a948b69795e5755470296899d9730c22dceda47ff0d09771a84b9b5591dd544cd5b1ee3a29b15d91a736cf0ed5e53da3d067443d717aab6c8b520abe2b2375f", 0xb7) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r1, 0xc010640b, &(0x7f0000000100)={0x0, 0x0, 0x5}) r5 = openat$zero(0xffffffffffffff9c, &(0x7f0000000140)='/dev/zero\x00', 0x800, 0x0) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r3, 0xc00c642d, &(0x7f0000000180)={r4, 0x80000, r5}) r6 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r7 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r6, r8, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:54 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) lremovexattr(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0)=@random={'trusted.', '/\x00'}) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r2, 0xc04c5349, &(0x7f0000000100)={0xfffffffffffffff8, 0xffffffffffffffff, 0x5}) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:54 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2406.091303][T11641] binder: 11638:11641 Release 1 refcount change on invalid ref 0 ret -22 [ 2406.125238][T11645] binder_alloc: binder_alloc_mmap_handler: 11638 20001000-20004000 already mapped failed -16 [ 2406.172572][T11641] binder: BINDER_SET_CONTEXT_MGR already set [ 2406.194187][T11641] binder: 11638:11641 ioctl 40046207 0 returned -16 [ 2406.221950][T11648] binder_alloc: 11638: binder_alloc_buf, no vma [ 2406.243417][T11645] binder: 11638:11645 Release 1 refcount change on invalid ref 0 ret -22 17:26:55 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x1650) [ 2406.280824][ T2678] binder: release 11638:11641 transaction 1412 out, still active [ 2406.289320][T11648] binder: 11638:11648 transaction failed 29189/-3, size 24-8 line 3147 [ 2406.303783][ T2678] binder: unexpected work type, 4, not freed [ 2406.361080][ T2678] binder: undelivered TRANSACTION_COMPLETE 17:26:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x2) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = openat$vsock(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vsock\x00', 0x208038, 0x0) setsockopt$inet_sctp_SCTP_AUTO_ASCONF(r2, 0x84, 0x1e, &(0x7f0000000080)=0x8, 0x4) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="2bd19a0e0000000000005344ce5e0c920e24e4ba7fa52febae1ef013d790eed7e810e742b434781b59adf1a1"], 0x0, 0x0, 0x0}) [ 2406.410039][ T2678] binder: send failed reply for transaction 1412, target dead 17:26:55 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, 0x0) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2406.586801][T11660] binder: 11658:11660 unknown command 245027115 [ 2406.610072][T11660] binder: 11658:11660 ioctl c0306201 20000380 returned -22 17:26:55 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000140)='TIPC\x00') sendmsg$TIPC_CMD_DISABLE_BEARER(r2, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x4000221}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x34, r3, 0xb00, 0x70bd28, 0x25dfdbfe, {{}, 0x0, 0x4102, 0x0, {0x18, 0x13, @l2={'eth', 0x3a, 'bond_slave_0\x00'}}}, ["", "", "", ""]}, 0x34}, 0x1, 0x0, 0x0, 0x4004}, 0x80) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:55 executing program 2: socket$inet6_icmp_raw(0xa, 0x3, 0x3a) preadv(0xffffffffffffffff, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000000300)='SEG6\x00') r0 = creat(&(0x7f0000000340)='./bus\x00', 0x0) r1 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) ioctl$CAPI_NCCI_GETUNIT(r1, 0x80044327, &(0x7f00000006c0)=0xca3) r2 = gettid() perf_event_open(0x0, r2, 0x14, r0, 0x2) mmap(&(0x7f0000003000/0x2000)=nil, 0x2000, 0x0, 0x1012, r1, 0x0) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x5, 0x0, 0x2200, 0x0, 0xa0008000, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0xebffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffa0010000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000), 0x600}, 0xfffffff6}, 0x0, 0x0, 0xffffffffffffffff, 0x0) write$RDMA_USER_CM_CMD_GET_EVENT(r0, &(0x7f00000000c0)={0xc, 0x8, 0xfa00, {0x0}}, 0x3d1) r3 = epoll_create1(0x0) lseek(r3, 0x0, 0x2) r4 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x1, 0xc0040) ioctl$PPPIOCDISCONN(r4, 0x7439) getsockopt$packet_buf(r4, 0x107, 0x6, &(0x7f0000000280)=""/20, &(0x7f00000002c0)=0x14) r5 = epoll_create1(0x0) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r4, 0x84, 0x1d, &(0x7f0000000440)={0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000480)=0x20) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f00000004c0)={r6, @in={{0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x1c}}}, 0x4, 0x1, 0x1, 0x10000, 0x80}, &(0x7f0000000580)=0x98) close(r3) syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0xffffffffffffffff, 0x2) r7 = getpgid(0x0) mknodat(r1, &(0x7f00000005c0)='./bus\x00', 0x4, 0x10001) perf_event_open(&(0x7f00000003c0)={0x7, 0x70, 0x1ff, 0x4, 0x7ff, 0x2, 0x0, 0x5, 0x9, 0x8, 0xf3b, 0x20, 0x10001, 0x100000001, 0x0, 0x8001, 0xffffffff, 0x10001, 0x7, 0x8, 0x3, 0x1, 0x10000, 0x0, 0x1, 0x3, 0x0, 0x3ff, 0x17c, 0xf008, 0xffffffff, 0x8000, 0xfd82, 0x7, 0x9, 0xfffffffffffffffe, 0x9, 0x5, 0x0, 0x3ff, 0x0, @perf_bp={&(0x7f0000000380)}, 0x2, 0x2, 0x2, 0x2, 0x6, 0x533f27b0, 0x3}, r7, 0x7c, r4, 0x8) mmap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x0, 0x50, r1, 0x0) epoll_ctl$EPOLL_CTL_ADD(r5, 0x1, r3, &(0x7f0000c85000)) setsockopt$RDS_GET_MR_FOR_DEST(r4, 0x114, 0x7, &(0x7f00000001c0)={@alg={0x26, 'rng\x00', 0x0, 0x0, 'drbg_pr_ctr_aes128\x00'}, {&(0x7f0000000100)=""/141, 0x8d}, &(0x7f0000000040), 0xe}, 0xa0) setxattr$security_smack_entry(&(0x7f0000000600)='./bus\x00', &(0x7f0000000640)='security.SMACK64EXEC\x00', &(0x7f0000000680)='\'\x00', 0x2, 0x3) ioctl$VIDIOC_ENUM_FMT(r1, 0xc0405602, &(0x7f0000000080)={0xfffffffffffffffe, 0xd, 0x3, "ca69d9c939a6a96e9f7fa68c2a63a7b299cfa362944baea6fe473dc213e983c6", 0x33363248}) [ 2406.646579][T11666] binder_alloc: binder_alloc_mmap_handler: 11658 20001000-20004000 already mapped failed -16 17:26:55 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, 0x0) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2406.740289][T11660] binder: BINDER_SET_CONTEXT_MGR already set [ 2406.790355][T11660] binder: 11658:11660 ioctl 40046207 0 returned -16 [ 2406.797396][T12655] binder: release 11658:11660 transaction 1417 out, still active [ 2406.828251][T11666] binder_alloc: 11658: binder_alloc_buf, no vma [ 2406.834852][T12655] binder: unexpected work type, 4, not freed [ 2406.860626][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2406.891744][T12655] binder: send failed reply for transaction 1417, target dead 17:26:55 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, 0x0) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2406.920220][T11666] binder: 11658:11666 transaction failed 29189/-3, size 24-8 line 3147 17:26:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300004e37", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffff9c, 0x29, 0x22, &(0x7f0000000040)={{{@in6=@mcast1, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@empty}, 0x0, @in6=@loopback}}, &(0x7f0000000140)=0xe8) r3 = accept4$inet6(0xffffffffffffff9c, &(0x7f00000002c0)={0xa, 0x0, 0x0, @remote}, &(0x7f0000000440)=0x1c, 0x800) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f0000000180)={0x0, 0x0}, &(0x7f0000000280)=0xc) fsetxattr$system_posix_acl(r1, &(0x7f0000000000)='system.posix_acl_access\x00', &(0x7f00000003c0)=ANY=[@ANYBLOB="02000000a1861d8b3c61020000009c435e56ca428080da9ada4da0bb7907000000950000", @ANYRES32=r2, @ANYBLOB="aea17e2b", @ANYRES32=r4, @ANYBLOB="040002000000000010000400000000002000000000000000"], 0x34, 0x3) r5 = syz_open_dev$media(&(0x7f0000000480)='/dev/media#\x00', 0x1000, 0x20000) getsockopt$inet_sctp6_SCTP_STATUS(r3, 0x84, 0xe, &(0x7f0000000600)={0x0, 0x8, 0x4aa, 0x4, 0xffff, 0x2, 0x6, 0xf2, {0x0, @in6={{0xa, 0x4e23, 0xe2f, @empty, 0x30}}, 0x0, 0x100, 0x1, 0x5, 0x8}}, &(0x7f00000004c0)=0xb0) getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r5, 0x84, 0x7b, &(0x7f0000000500)={r6, 0x9}, &(0x7f00000006c0)=0x8) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000540)=ANY=[@ANYBLOB="066304408beb0d5a59898972630116557effeecea015250c0d8732b8b17c75c409aef8f7df3308487858df8fabfcf57b680928d128b0b73047ba1eff4c7b51cc88c26dcd354f6a9126fb418856c446c361797d6548bb31598dbc9c607bdf59a2c94c5b9363da2cacdcbda2ade6cadaf8df6b34ef93ef772812a703d60643f78686d0e048f16723503b11da9a7ada1e34ae99c36dc99c7b6569450cc19a18c111ac5e0cf063d731415e"], 0x0, 0x0, 0x0}) 17:26:55 executing program 4: r0 = syz_open_dev$admmidi(&(0x7f0000000100)='/dev/admmidi#\x00', 0x7ff, 0x20000) preadv(r0, &(0x7f0000000400)=[{&(0x7f0000000140)=""/209, 0xd1}, {&(0x7f0000000240)=""/142, 0x8e}, {&(0x7f0000000300)=""/170, 0xaa}, {&(0x7f00000003c0)=""/37, 0x25}], 0x4, 0x4a) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:55 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x1650) 17:26:55 executing program 2: socket$inet6_icmp_raw(0xa, 0x3, 0x3a) preadv(0xffffffffffffffff, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000000300)='SEG6\x00') r0 = creat(&(0x7f0000000340)='./bus\x00', 0x0) r1 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) ioctl$CAPI_NCCI_GETUNIT(r1, 0x80044327, &(0x7f00000006c0)=0xca3) r2 = gettid() perf_event_open(0x0, r2, 0x14, r0, 0x2) mmap(&(0x7f0000003000/0x2000)=nil, 0x2000, 0x0, 0x1012, r1, 0x0) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x5, 0x0, 0x2200, 0x0, 0xa0008000, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0xebffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffa0010000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000), 0x600}, 0xfffffff6}, 0x0, 0x0, 0xffffffffffffffff, 0x0) write$RDMA_USER_CM_CMD_GET_EVENT(r0, &(0x7f00000000c0)={0xc, 0x8, 0xfa00, {0x0}}, 0x3d1) r3 = epoll_create1(0x0) lseek(r3, 0x0, 0x2) r4 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x1, 0xc0040) ioctl$PPPIOCDISCONN(r4, 0x7439) getsockopt$packet_buf(r4, 0x107, 0x6, &(0x7f0000000280)=""/20, &(0x7f00000002c0)=0x14) r5 = epoll_create1(0x0) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r4, 0x84, 0x1d, &(0x7f0000000440)={0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000480)=0x20) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f00000004c0)={r6, @in={{0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x1c}}}, 0x4, 0x1, 0x1, 0x10000, 0x80}, &(0x7f0000000580)=0x98) close(r3) syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0xffffffffffffffff, 0x2) r7 = getpgid(0x0) mknodat(r1, &(0x7f00000005c0)='./bus\x00', 0x4, 0x10001) perf_event_open(&(0x7f00000003c0)={0x7, 0x70, 0x1ff, 0x4, 0x7ff, 0x2, 0x0, 0x5, 0x9, 0x8, 0xf3b, 0x20, 0x10001, 0x100000001, 0x0, 0x8001, 0xffffffff, 0x10001, 0x7, 0x8, 0x3, 0x1, 0x10000, 0x0, 0x1, 0x3, 0x0, 0x3ff, 0x17c, 0xf008, 0xffffffff, 0x8000, 0xfd82, 0x7, 0x9, 0xfffffffffffffffe, 0x9, 0x5, 0x0, 0x3ff, 0x0, @perf_bp={&(0x7f0000000380)}, 0x2, 0x2, 0x2, 0x2, 0x6, 0x533f27b0, 0x3}, r7, 0x7c, r4, 0x8) mmap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x0, 0x50, r1, 0x0) epoll_ctl$EPOLL_CTL_ADD(r5, 0x1, r3, &(0x7f0000c85000)) setsockopt$RDS_GET_MR_FOR_DEST(r4, 0x114, 0x7, &(0x7f00000001c0)={@alg={0x26, 'rng\x00', 0x0, 0x0, 'drbg_pr_ctr_aes128\x00'}, {&(0x7f0000000100)=""/141, 0x8d}, &(0x7f0000000040), 0xe}, 0xa0) setxattr$security_smack_entry(&(0x7f0000000600)='./bus\x00', &(0x7f0000000640)='security.SMACK64EXEC\x00', &(0x7f0000000680)='\'\x00', 0x2, 0x3) ioctl$VIDIOC_ENUM_FMT(r1, 0xc0405602, &(0x7f0000000080)={0xfffffffffffffffe, 0xd, 0x3, "ca69d9c939a6a96e9f7fa68c2a63a7b299cfa362944baea6fe473dc213e983c6", 0x33363248}) [ 2407.109064][T11680] binder: 11679:11680 got transaction to context manager from process owning it 17:26:55 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={0x0}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2407.175190][T11680] binder: 11679:11680 transaction failed 29201/-22, size 24-8 line 2985 [ 2407.282498][T11686] binder: 11679:11686 Release 1 refcount change on invalid ref 1510861707 ret -22 17:26:56 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={0x0}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2407.396597][T11686] binder_alloc: binder_alloc_mmap_handler: 11679 20001000-20004000 already mapped failed -16 17:26:56 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) accept(r2, 0x0, &(0x7f0000000100)) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2407.456794][T11680] binder_alloc: 11679: binder_alloc_buf, no vma [ 2407.496604][T11680] binder: 11679:11680 transaction failed 29189/-3, size 24-8 line 3147 17:26:56 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={0x0}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:26:56 executing program 1: socket$inet6_icmp_raw(0xa, 0x3, 0x3a) preadv(0xffffffffffffffff, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000000300)='SEG6\x00') r0 = creat(&(0x7f0000000340)='./bus\x00', 0x0) r1 = open(&(0x7f0000000000)='./bus\x00', 0x141042, 0x0) ioctl$CAPI_NCCI_GETUNIT(r1, 0x80044327, &(0x7f00000006c0)=0xca3) r2 = gettid() perf_event_open(0x0, r2, 0x14, r0, 0x2) mmap(&(0x7f0000003000/0x2000)=nil, 0x2000, 0x0, 0x1012, r1, 0x0) perf_event_open(&(0x7f0000000180)={0x6, 0x70, 0x5, 0x0, 0x2200, 0x0, 0xa0008000, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0xebffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffa0010000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000), 0x600}, 0xfffffff6}, 0x0, 0x0, 0xffffffffffffffff, 0x0) write$RDMA_USER_CM_CMD_GET_EVENT(r0, &(0x7f00000000c0)={0xc, 0x8, 0xfa00, {0x0}}, 0x3d1) r3 = epoll_create1(0x0) lseek(r3, 0x0, 0x2) r4 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x1, 0xc0040) ioctl$PPPIOCDISCONN(r4, 0x7439) getsockopt$packet_buf(r4, 0x107, 0x6, &(0x7f0000000280)=""/20, &(0x7f00000002c0)=0x14) r5 = epoll_create1(0x0) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r4, 0x84, 0x1d, &(0x7f0000000440)={0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000480)=0x20) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f00000004c0)={r6, @in={{0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x1c}}}, 0x4, 0x1, 0x1, 0x10000, 0x80}, &(0x7f0000000580)=0x98) close(r3) syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0xffffffffffffffff, 0x2) r7 = getpgid(0x0) mknodat(r1, &(0x7f00000005c0)='./bus\x00', 0x4, 0x10001) perf_event_open(&(0x7f00000003c0)={0x7, 0x70, 0x1ff, 0x4, 0x7ff, 0x2, 0x0, 0x5, 0x9, 0x8, 0xf3b, 0x20, 0x10001, 0x100000001, 0x0, 0x8001, 0xffffffff, 0x10001, 0x7, 0x8, 0x3, 0x1, 0x10000, 0x0, 0x1, 0x3, 0x0, 0x3ff, 0x17c, 0xf008, 0xffffffff, 0x8000, 0xfd82, 0x7, 0x9, 0xfffffffffffffffe, 0x9, 0x5, 0x0, 0x3ff, 0x0, @perf_bp={&(0x7f0000000380)}, 0x2, 0x2, 0x2, 0x2, 0x6, 0x533f27b0, 0x3}, r7, 0x7c, r4, 0x8) mmap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x0, 0x50, r1, 0x0) epoll_ctl$EPOLL_CTL_ADD(r5, 0x1, r3, &(0x7f0000c85000)) setsockopt$RDS_GET_MR_FOR_DEST(r4, 0x114, 0x7, &(0x7f00000001c0)={@alg={0x26, 'rng\x00', 0x0, 0x0, 'drbg_pr_ctr_aes128\x00'}, {&(0x7f0000000100)=""/141, 0x8d}, &(0x7f0000000040), 0xe}, 0xa0) setxattr$security_smack_entry(&(0x7f0000000600)='./bus\x00', &(0x7f0000000640)='security.SMACK64EXEC\x00', &(0x7f0000000680)='\'\x00', 0x2, 0x3) ioctl$VIDIOC_ENUM_FMT(r1, 0xc0405602, &(0x7f0000000080)={0xfffffffffffffffe, 0xd, 0x3, "ca69d9c939a6a96e9f7fa68c2a63a7b299cfa362944baea6fe473dc213e983c6", 0x33363248}) [ 2407.551625][T11697] binder: BINDER_SET_CONTEXT_MGR already set 17:26:56 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r2 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:56 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000180)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$sock_kcm_SIOCKCMUNATTACH(r2, 0x89e1, &(0x7f0000000100)={r0}) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000040)) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000140)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0xffffffffffffff7f, 0x500180de7f0000, 0x0, 0x0) [ 2407.612566][T11701] binder: 11679:11701 Release 1 refcount change on invalid ref 1510861707 ret -22 [ 2407.629965][T11697] binder: 11679:11697 ioctl 40046207 0 returned -16 [ 2407.683256][T12655] binder_release_work: 5 callbacks suppressed [ 2407.683264][T12655] binder: undelivered TRANSACTION_ERROR: 29201 [ 2407.690860][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:26:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = creat(&(0x7f0000000000)='./file0\x00', 0x180) r3 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080)='IPVS\x00') sendmsg$IPVS_CMD_ZERO(r2, &(0x7f0000000280)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f0000000180)={&(0x7f00000000c0)={0xa8, r3, 0x420, 0x70bd2b, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_DAEMON={0x14, 0x3, [@IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @rand_addr=0x1a}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x31baf3b4ae24ac07}]}, @IPVS_CMD_ATTR_DEST={0x24, 0x2, [@IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x5}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xffffffff80000001}, @IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x6}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x5}, @IPVS_CMD_ATTR_DAEMON={0x4c, 0x3, [@IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @local}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @rand_addr=0x8}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e23}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @remote}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e22}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @empty}]}]}, 0xa8}, 0x1, 0x0, 0x0, 0x800}, 0x800) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="0063404000000000000000000000000081b1659277d9ed7d00000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:56 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(0x0, 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:26:56 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2407.951549][T11716] binder: 11715:11716 Release 1 refcount change on invalid ref 0 ret -22 17:26:56 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(0x0, 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2408.034744][T11720] binder_alloc: binder_alloc_mmap_handler: 11715 20001000-20004000 already mapped failed -16 [ 2408.081249][T11716] binder: BINDER_SET_CONTEXT_MGR already set [ 2408.123998][T11716] binder: 11715:11716 ioctl 40046207 0 returned -16 17:26:56 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000100)='/dev/vbi#\x00', 0x2, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:56 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = add_key$user(&(0x7f0000000100)='user\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)="c867b00f2a071ae72d933a4c30d3", 0xe, 0x0) keyctl$KEYCTL_PKEY_SIGN(0x1b, &(0x7f00000001c0)={r4, 0x3b, 0x283}, &(0x7f0000000200)=ANY=[@ANYBLOB="656e633d706b63733120686173683d63726333322bc8842bfdd60426000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000"], &(0x7f0000000280)="d1d2faeab793125167278067c0b1dc3a09f03e5da46f39bd2ce5d1258cc7c1486471e7cd8998fd74d015647b91a3b259d6053f6f651d6737c166ef3601aca0f45569b796554e1184ba1733dd2dbdbe4d56697cd8dbbd9f18545f22c0e4e4c9aa51f373bb8e390edbe913107916b8be7bff2144b98e880ffaf085b981aed9e9aee5da04fbec8f6e830bd120ce9f563bc224d4b17f8436ebeb99b01220dab352a3625533df9d346c761b554a3852739c42d0560975f288fd06af0ace517455ae532912dffbf981fa150b3d119514458a13220548a04f7612be87e0607ba793bbed1bf209d6c6f0a98d69bff345aa7701f1d81f3dd93b69c2aeb69514e0f0aad72ca7236ca75a31609ee1d55d6379302c553367a707142ff965f042f3e13fc149792651805edefec7582cac098aad37f454b27ec519b6593608166dd40c0b7d2ffe34336689b741935894259a490adafea8363e8b2e27aa7b093ebc334c93783da4ae45e88e90f0790ae5f33fe6bcaf86666a303a07a127d3db8eea4e7c3b1a53779db7dc8a880aaf4bdf65707712b0e54927772fa4a6fd6d49df7bdc315270e4c8901793d2ef46035ae92bc1d0e538c6d317175ac41cd2b40ef3c238a30f60277b7ec47d47613f136900d71582647eeeee70ff00e607c65299ae84514e0ba4f5efa6deea23862419986948e20c1ed58ba8bdef283accb971e0e0e4f5252b65515b6e594551d9bec84a3c9d5ea63c582b60c043430418ef1800556774e87f15ce4963353156bba2444eaf42d2349885c2ae2f3419e80fed29cf7214da9cc5f968c833f0c2d2f083516616e9918171a93c1ea29c1f005b76bd6476c5943761a75ecf7b312942c13afbe230be23f3fe70b34794eda38cfdc9aea6efb719ccad7ef7ebd852fdc3a09f9ba4f0f365e01fee742a7cdc2742a7ef4271b1cf9c7124b3a53bb2de0d84f2b781276113590aef10bd3b310def6e8f8f5f57ba0ceba6b4afe218c68ad3e9fe2aad9d22043c4e5bcedc269cc37d0ccf713903eeb959c45b4d2cd4c874fbec76764a5e6bce53f0a546671ac3575d6f5a7110b3497c68bdbf7179edfef0cec66e392f8d362a1c4899c7a821b277ce38d9d7c577540aefd3fcebab5473a03e3c851205233e66fd892e0929f14facd581ccce60cc2e0fbe79c75372dda0380bdfd9b87b928e65598413c6ea40e771cafe3bb23207fb2bca822c48d6e3420e447a32bc149f39d4290d688dfc913722383e72bb9feb2524a063b547e9d998154c818bc522da52f841c604a2d3a96a9d6cb31cd7a7b212c5ff715d4eeca85de366de843a47d7974b18a64c225bdb793e0c352e6ec0bfe49560ec832cb46c801a9c805f0999454bfaf2a8553b154d4800927510d1053b8870807769af4579de784d05167fbd19685f316b744196534bf719a1eae4c029d948ffa5608a0ef831572a4db65dccf9de0b4c4df58644900459b5eb982247234f6ecd2ca8c14227e52fbf3077ec41c54f6a8c5351ead91b5474864603d8acb3a88fb4082e24f9d0d03acf5ba5e567ca14101bdd4f53fc30cdc972d7994a985b76848b84ea6521599a2dc2a3bd03fd6fa45ad106da57a9962785125c6a4bbd6a06aebca82336d760c66979f4e0b7094f2ef75838e978f5190eb2fd5b6fb49494ee2c9407c06c6a069a2d6f5c376d3dbe9ba346711b996d8f457ce4c154429ebd9c2b837a4eaaf2d60da381cd6f2a51f17e08885e5c3673495923a79a4a0daf88fc64c6a0264c27ed9f45c33314ac76f62fee50a065ddd9c25605bbf4f459f16fe904d1551e197c4931597c0c596b0b213d3353efb51ec5400521c5badc15b48606cab101fdd89e0b1ad743b31546c069278bbc29fa85e7deea633b8fa2b1ef307ea92ee8a17ebfa1905061fdbc4d361782fb805a4f963ebd272eaa29cdb599b0477ccddb4ec840fb209c90e110c9d7cf8593cc244c9287d3d169659c7b827b5279942dcef185ab1d3666c2986e6f6ffbd10437ebb24d28260c9cea45c24183375fec71208c5b5696511992d613ea4722fa48b1a8cdaaac5278652caa0f697538e9652572baf17db09e89f7177e69e1d891c539eb074b3c2af946e1f4880f1576161e6b3ea546100c5ea5a5335f6ce801813e2bcb42faf6928b0cf8e00abb5e88bb2e5faeee528536a5bce43f2f3c3088bb02ab1d787af5f5883d8faa7a1a2bf0b79d1fd61b6a8a455ba1a225c3765bff80f872063d1226e60bad4c53851b8248daa70326d83ffec5573869520f60ca588fb014a22937d10b98a9f14be17d77105f82a1e1e45e8e7015517b608699af77bb94cac36192594554d687280458ec273d52bf74e58eb96c03909adc88bc48cbbc06e77fb9cba10091bdacc6701b23178b860c650fab1df861dcf7902b290c97477bc9c173898c2360c3f12b20ac45bda685cc9b0eef03467f3a08e9ae0cd91992bb6c00c96387a435b1e562623bd3e8864e6e5d22dfab0393723ac1ab915e446e6e5754b69b5f1fbe5c0014e8f300d72e1645eb37ac0191c0fb682f4e4779f92c029f7b475ce2cbb38a7e3981cef9cdb43e7cf9c86a5002990a0bfed4cb0ca9f83ffb7c0d8fb4e369033bec3272ff5764479899536500c62ccfe06000fb12b1362b486803b10255cb122d5dab00cfb45c600533bba581036514b54bb7ed9fb443b37156ffa99f9391db0b58763b1fb5426c95c79bff9e731c97899d6fc4c213b2fa7cbaf9cd6da4d03e203c8e78ecc774eaee88fd786c3250f3ba6913a732a5130be05bfb4d6945260b05c545c4da53141556188ab484adc0f0a502f4f87bcb5072aa182e95c3d5b0e5d6846b2a5e52aec0895e857581be0bf84954d2d136a4ecbd3920ab4a05b89f7db8fd032ec8be31e08fe3b00c31b138503213fe2f15fb1fe0bf1295e4ff79f6eca57899c37f625e52745a6dc50c8054aaa1fca263a68b93ee29844404944a487afe940eea4222c8647ea1c31e9c12890e369a581a7480958f12da944af78cd224b0ea1b5e84cee096d936bb89e7a711af525c9adc898ab6087d7dadb09b0a41f4bf3065e2dd565163898dc18aeefa353300ceced23aa0aeb573d3dac1e6a92169eb0fb9f10d9cbbb52054faf893c5dd39902f9d59d17b77898c18c0ce8305db423e9ce68bb89227b4edc4ba89be7e96a26c8c5ef53c95e8ded8b8aae3f9d8834819a95be11fb81e10e790a7e702c6664ac25f40b4f61a59953f42292775127bb7beba6ff5e9c22bf92349ccc8436695970de42610c61039faa2036c3d3091752a7b53bf44edbc80ec7bcd02992b7eb4ffd6548472dd121eca523ebdf56a4231390c0338764c2dd9014b4b63f00727bd823ca9256d2fb1911fb9343c233d5a6e89231f8e59f1a397da7b4a8795dbb8873a54fe319458b1d0801121939d549a3290e8d42b94a93dc9320146e8feb334144cf394fc718cd5964de0971c756e58fe71203241ce299fe7464ec738da87127901caeb0bcca243c7031e2406fc4d5ed80a973c306c0d2edb7cbc48bd41d2e91a918ef689863ffc45980bed6d591d5059a2fae2c77eab7e027da674b74957166f0de6886e1df5d2b39acae15d148cd205868650d82c7b6a05481d3cbb9559c6053521d262a29afcce0b551f97350d69729b5c53a90063da2690122db7f0eaf0811a2c704b3a0f3d2f2a04a962c56fdb638a83427fe2c58bd2a729d8b33eb3753a7b8dded56f1b38eb1322f69669a9a7a575803fd8ee2b6091200369416ed476aaa19d214ea454108356ed112f860ed1a52db2eec2b1f7b70445da7fe79f1ea845d38d8b37d21f3c2cf2b6464a7c48fbae12e0017f3e94553914eea4b5b988f767350c794cb64ebf2ffa21e2113067593729ebe64a909b82d9a13adaadeda45f0e2a673118b9f7c33659fa6af9594b13dedac1f3d866dc9160cf25cd775c5453845971c9b4021e5933765180369ef279805b1c9f797bb9b187d3eec5daf1d96a0b95b624a9a9a8f2f49260de0b3f9b350844d2085d1a34c2b1bbcf0fa955b4a40cde27bb49e6964bb8ff48bd10b1c86d389bc387516bf32d4e17baac91648cd52525eac4f675fd1f2112ea520029512e2df835fdd4be3146320e5deebfd9d03e3eb35aa64f9eff655a34246fa7710049a026f45d653b60d5fdff23f0aa5b05c2d17b813761a0c315825783977451e14fe252d7c50183fff93e773e1a3752a4057eebbc066eaef02574f2492bc7f313f7818a549ad23e59e69aaa45a978ece8ee948b281d7ba2416b02ebc3cd770288d6eff7ff92c5c1f7c0f5379fe268ac8d5f5fd16ebd65653c72de40674243e6b452c4a48bb297dea206a0823d895bbeb06c7a4a46286c1bbe81b4a6f7f5c12750b274a3d2e690b6d8846eb1da1d20dd28b5c6963a5b8e9c167a5bbda83d68c6a50d4606c1ef39f46499c95e73000668c7387b1f2331a5463da6c719f918c11e37915bac76c3f071e002673f4ea6e859ef57644fca979f6fbbff51872df424cc4342da9b0703a7b37825f56d61db6091628264cd9640987579900002a886b51936694d54be001a272b96bdab2f37d627c71ccb7031ad341cbceb0d606ed583e1f94a7bfe2a94f59a0e8246775c8a9a9c69be981faca33e274fdd3c88bb743087be8e1b477aebce725946b1dc6aaa6d96aacdaa7d833765e5fe23b3ac7eea5fb1a83c7240d2eefcfaba7687cde51cfbcbde1c88d01dd869e69dd100c1654ebac218e895663090b8079e9823ef80a5e266875edcdbd4eaa0887a0edd691bd4776cf0068f888a13c26b2e764a808a2099bc1a2967b8d076f2584e980f1adfaa9ef9e1479398bf9cac5ef7c57ab6ded3099b88432711d01f6d9963d494c71d5ae5838ef89b365728b2d3316cbb2196d64ad8714f20015650e93dff31243d2b728c29fe9b1d2755e8ab8ca2c8a7baae3aeb41ef5c8f3819b47617464da9a8fd2f602856f415006d056b6662eef96a4f2eae532038fed6a57a33f4ff69b66ae703fc9ae609e58d7d12df9ffd4cdc607866cf354990099d7fdb8b9288db9d3574dffc4fe68d20824384bb65de3d9bf2c6b53c03b726272e47419cec1f2f69d0f9ad100fc35fa6dd6bf017c2cc387c456bde3ba2b0ad73be83ab33fa73a083e6bdf8a76b3c7756dc6e9aac97486f467d4b838104cc50d8fe45f078fede0db7b1c3cd064e0fdecef26a6754945eee1b4ca43a684f655c91dac02bb86bdfac6b72aba0fb594dfde6f9f861d6451dd2856fe53d370d39558fd692e6c4c84e8c2a635eff9defe6b756e1f190444ed6c990983e32db54627aba4059fa2ee9336ae1a0d36f5822d34a0905fb0a26561aad8cf84ee589507fbb44e0980c742766b476275e73fbf296fad305d94c2eac1af4d7174548955e1c4ad77cce16875930fd4e85e62d80069f97e5c79e9903b7294687cd6c4a06c36bb1fd512f78a17750eb9e0ac74a97364e332552c33cdbab6e65a7c65b934a79ce5b7f5280aa18669f09c038ba9b65f931ccf4eea9511e8d40247dee912b8e5239e7f4d913d47fabbbfc1cc468aa3529413e90aaed42ea337565da9ccebf99e46a97afebcbd44ef2655fb0819b5efd8137fbc2c26b79325603029cec188e0682b82ad8bbe398e95053fb3ba0445ca92714c9dd1ae95452f33f980db484f8bcb8194d6f2657e3e892e7e6e46f42dd2cbc9bf51279dd065926aead21c074dd0ae165fa5cda2468a3892aaf75a952336918481bf29b084be0a69421d50dfea84c6c41b7fc2a55c38a2edd3e32038ad27194f93a722c647aa22a21d8b8fdbfd16f6f632e", &(0x7f0000001280)=""/4096) ioctl$VIDIOC_SUBDEV_S_FRAME_INTERVAL(r2, 0xc0305616, &(0x7f0000002280)={0x0, {0xcf2d, 0x3f}}) r5 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0x0) [ 2408.169544][T11720] binder_alloc: 11715: binder_alloc_buf, no vma 17:26:57 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) ioctl$SIOCX25GDTEFACILITIES(r0, 0x89ea, &(0x7f0000000100)) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(r0, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:26:57 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(0x0, 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2408.212377][T11724] binder: 11715:11724 Release 1 refcount change on invalid ref 0 ret -22 [ 2408.251106][ T2678] binder: send failed reply for transaction 1425 to 11715:11716 [ 2408.271007][T11720] binder: 11715:11720 transaction failed 29189/-3, size 24-8 line 3147 [ 2408.298939][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 [ 2408.327607][ T2678] binder: undelivered TRANSACTION_COMPLETE [ 2408.346208][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:26:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:57 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(0xffffffffffffffff, 0x2000c2604110, &(0x7f0000000000)) 17:26:57 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = add_key$user(&(0x7f0000000100)='user\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)="c867b00f2a071ae72d933a4c30d3", 0xe, 0x0) keyctl$KEYCTL_PKEY_SIGN(0x1b, &(0x7f00000001c0)={r4, 0x3b, 0x283}, &(0x7f0000000200)=ANY=[@ANYBLOB="656e633d706b63733120686173683d63726333322bc8842bfdd60426000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000"], &(0x7f0000000280)="d1d2faeab793125167278067c0b1dc3a09f03e5da46f39bd2ce5d1258cc7c1486471e7cd8998fd74d015647b91a3b259d6053f6f651d6737c166ef3601aca0f45569b796554e1184ba1733dd2dbdbe4d56697cd8dbbd9f18545f22c0e4e4c9aa51f373bb8e390edbe913107916b8be7bff2144b98e880ffaf085b981aed9e9aee5da04fbec8f6e830bd120ce9f563bc224d4b17f8436ebeb99b01220dab352a3625533df9d346c761b554a3852739c42d0560975f288fd06af0ace517455ae532912dffbf981fa150b3d119514458a13220548a04f7612be87e0607ba793bbed1bf209d6c6f0a98d69bff345aa7701f1d81f3dd93b69c2aeb69514e0f0aad72ca7236ca75a31609ee1d55d6379302c553367a707142ff965f042f3e13fc149792651805edefec7582cac098aad37f454b27ec519b6593608166dd40c0b7d2ffe34336689b741935894259a490adafea8363e8b2e27aa7b093ebc334c93783da4ae45e88e90f0790ae5f33fe6bcaf86666a303a07a127d3db8eea4e7c3b1a53779db7dc8a880aaf4bdf65707712b0e54927772fa4a6fd6d49df7bdc315270e4c8901793d2ef46035ae92bc1d0e538c6d317175ac41cd2b40ef3c238a30f60277b7ec47d47613f136900d71582647eeeee70ff00e607c65299ae84514e0ba4f5efa6deea23862419986948e20c1ed58ba8bdef283accb971e0e0e4f5252b65515b6e594551d9bec84a3c9d5ea63c582b60c043430418ef1800556774e87f15ce4963353156bba2444eaf42d2349885c2ae2f3419e80fed29cf7214da9cc5f968c833f0c2d2f083516616e9918171a93c1ea29c1f005b76bd6476c5943761a75ecf7b312942c13afbe230be23f3fe70b34794eda38cfdc9aea6efb719ccad7ef7ebd852fdc3a09f9ba4f0f365e01fee742a7cdc2742a7ef4271b1cf9c7124b3a53bb2de0d84f2b781276113590aef10bd3b310def6e8f8f5f57ba0ceba6b4afe218c68ad3e9fe2aad9d22043c4e5bcedc269cc37d0ccf713903eeb959c45b4d2cd4c874fbec76764a5e6bce53f0a546671ac3575d6f5a7110b3497c68bdbf7179edfef0cec66e392f8d362a1c4899c7a821b277ce38d9d7c577540aefd3fcebab5473a03e3c851205233e66fd892e0929f14facd581ccce60cc2e0fbe79c75372dda0380bdfd9b87b928e65598413c6ea40e771cafe3bb23207fb2bca822c48d6e3420e447a32bc149f39d4290d688dfc913722383e72bb9feb2524a063b547e9d998154c818bc522da52f841c604a2d3a96a9d6cb31cd7a7b212c5ff715d4eeca85de366de843a47d7974b18a64c225bdb793e0c352e6ec0bfe49560ec832cb46c801a9c805f0999454bfaf2a8553b154d4800927510d1053b8870807769af4579de784d05167fbd19685f316b744196534bf719a1eae4c029d948ffa5608a0ef831572a4db65dccf9de0b4c4df58644900459b5eb982247234f6ecd2ca8c14227e52fbf3077ec41c54f6a8c5351ead91b5474864603d8acb3a88fb4082e24f9d0d03acf5ba5e567ca14101bdd4f53fc30cdc972d7994a985b76848b84ea6521599a2dc2a3bd03fd6fa45ad106da57a9962785125c6a4bbd6a06aebca82336d760c66979f4e0b7094f2ef75838e978f5190eb2fd5b6fb49494ee2c9407c06c6a069a2d6f5c376d3dbe9ba346711b996d8f457ce4c154429ebd9c2b837a4eaaf2d60da381cd6f2a51f17e08885e5c3673495923a79a4a0daf88fc64c6a0264c27ed9f45c33314ac76f62fee50a065ddd9c25605bbf4f459f16fe904d1551e197c4931597c0c596b0b213d3353efb51ec5400521c5badc15b48606cab101fdd89e0b1ad743b31546c069278bbc29fa85e7deea633b8fa2b1ef307ea92ee8a17ebfa1905061fdbc4d361782fb805a4f963ebd272eaa29cdb599b0477ccddb4ec840fb209c90e110c9d7cf8593cc244c9287d3d169659c7b827b5279942dcef185ab1d3666c2986e6f6ffbd10437ebb24d28260c9cea45c24183375fec71208c5b5696511992d613ea4722fa48b1a8cdaaac5278652caa0f697538e9652572baf17db09e89f7177e69e1d891c539eb074b3c2af946e1f4880f1576161e6b3ea546100c5ea5a5335f6ce801813e2bcb42faf6928b0cf8e00abb5e88bb2e5faeee528536a5bce43f2f3c3088bb02ab1d787af5f5883d8faa7a1a2bf0b79d1fd61b6a8a455ba1a225c3765bff80f872063d1226e60bad4c53851b8248daa70326d83ffec5573869520f60ca588fb014a22937d10b98a9f14be17d77105f82a1e1e45e8e7015517b608699af77bb94cac36192594554d687280458ec273d52bf74e58eb96c03909adc88bc48cbbc06e77fb9cba10091bdacc6701b23178b860c650fab1df861dcf7902b290c97477bc9c173898c2360c3f12b20ac45bda685cc9b0eef03467f3a08e9ae0cd91992bb6c00c96387a435b1e562623bd3e8864e6e5d22dfab0393723ac1ab915e446e6e5754b69b5f1fbe5c0014e8f300d72e1645eb37ac0191c0fb682f4e4779f92c029f7b475ce2cbb38a7e3981cef9cdb43e7cf9c86a5002990a0bfed4cb0ca9f83ffb7c0d8fb4e369033bec3272ff5764479899536500c62ccfe06000fb12b1362b486803b10255cb122d5dab00cfb45c600533bba581036514b54bb7ed9fb443b37156ffa99f9391db0b58763b1fb5426c95c79bff9e731c97899d6fc4c213b2fa7cbaf9cd6da4d03e203c8e78ecc774eaee88fd786c3250f3ba6913a732a5130be05bfb4d6945260b05c545c4da53141556188ab484adc0f0a502f4f87bcb5072aa182e95c3d5b0e5d6846b2a5e52aec0895e857581be0bf84954d2d136a4ecbd3920ab4a05b89f7db8fd032ec8be31e08fe3b00c31b138503213fe2f15fb1fe0bf1295e4ff79f6eca57899c37f625e52745a6dc50c8054aaa1fca263a68b93ee29844404944a487afe940eea4222c8647ea1c31e9c12890e369a581a7480958f12da944af78cd224b0ea1b5e84cee096d936bb89e7a711af525c9adc898ab6087d7dadb09b0a41f4bf3065e2dd565163898dc18aeefa353300ceced23aa0aeb573d3dac1e6a92169eb0fb9f10d9cbbb52054faf893c5dd39902f9d59d17b77898c18c0ce8305db423e9ce68bb89227b4edc4ba89be7e96a26c8c5ef53c95e8ded8b8aae3f9d8834819a95be11fb81e10e790a7e702c6664ac25f40b4f61a59953f42292775127bb7beba6ff5e9c22bf92349ccc8436695970de42610c61039faa2036c3d3091752a7b53bf44edbc80ec7bcd02992b7eb4ffd6548472dd121eca523ebdf56a4231390c0338764c2dd9014b4b63f00727bd823ca9256d2fb1911fb9343c233d5a6e89231f8e59f1a397da7b4a8795dbb8873a54fe319458b1d0801121939d549a3290e8d42b94a93dc9320146e8feb334144cf394fc718cd5964de0971c756e58fe71203241ce299fe7464ec738da87127901caeb0bcca243c7031e2406fc4d5ed80a973c306c0d2edb7cbc48bd41d2e91a918ef689863ffc45980bed6d591d5059a2fae2c77eab7e027da674b74957166f0de6886e1df5d2b39acae15d148cd205868650d82c7b6a05481d3cbb9559c6053521d262a29afcce0b551f97350d69729b5c53a90063da2690122db7f0eaf0811a2c704b3a0f3d2f2a04a962c56fdb638a83427fe2c58bd2a729d8b33eb3753a7b8dded56f1b38eb1322f69669a9a7a575803fd8ee2b6091200369416ed476aaa19d214ea454108356ed112f860ed1a52db2eec2b1f7b70445da7fe79f1ea845d38d8b37d21f3c2cf2b6464a7c48fbae12e0017f3e94553914eea4b5b988f767350c794cb64ebf2ffa21e2113067593729ebe64a909b82d9a13adaadeda45f0e2a673118b9f7c33659fa6af9594b13dedac1f3d866dc9160cf25cd775c5453845971c9b4021e5933765180369ef279805b1c9f797bb9b187d3eec5daf1d96a0b95b624a9a9a8f2f49260de0b3f9b350844d2085d1a34c2b1bbcf0fa955b4a40cde27bb49e6964bb8ff48bd10b1c86d389bc387516bf32d4e17baac91648cd52525eac4f675fd1f2112ea520029512e2df835fdd4be3146320e5deebfd9d03e3eb35aa64f9eff655a34246fa7710049a026f45d653b60d5fdff23f0aa5b05c2d17b813761a0c315825783977451e14fe252d7c50183fff93e773e1a3752a4057eebbc066eaef02574f2492bc7f313f7818a549ad23e59e69aaa45a978ece8ee948b281d7ba2416b02ebc3cd770288d6eff7ff92c5c1f7c0f5379fe268ac8d5f5fd16ebd65653c72de40674243e6b452c4a48bb297dea206a0823d895bbeb06c7a4a46286c1bbe81b4a6f7f5c12750b274a3d2e690b6d8846eb1da1d20dd28b5c6963a5b8e9c167a5bbda83d68c6a50d4606c1ef39f46499c95e73000668c7387b1f2331a5463da6c719f918c11e37915bac76c3f071e002673f4ea6e859ef57644fca979f6fbbff51872df424cc4342da9b0703a7b37825f56d61db6091628264cd9640987579900002a886b51936694d54be001a272b96bdab2f37d627c71ccb7031ad341cbceb0d606ed583e1f94a7bfe2a94f59a0e8246775c8a9a9c69be981faca33e274fdd3c88bb743087be8e1b477aebce725946b1dc6aaa6d96aacdaa7d833765e5fe23b3ac7eea5fb1a83c7240d2eefcfaba7687cde51cfbcbde1c88d01dd869e69dd100c1654ebac218e895663090b8079e9823ef80a5e266875edcdbd4eaa0887a0edd691bd4776cf0068f888a13c26b2e764a808a2099bc1a2967b8d076f2584e980f1adfaa9ef9e1479398bf9cac5ef7c57ab6ded3099b88432711d01f6d9963d494c71d5ae5838ef89b365728b2d3316cbb2196d64ad8714f20015650e93dff31243d2b728c29fe9b1d2755e8ab8ca2c8a7baae3aeb41ef5c8f3819b47617464da9a8fd2f602856f415006d056b6662eef96a4f2eae532038fed6a57a33f4ff69b66ae703fc9ae609e58d7d12df9ffd4cdc607866cf354990099d7fdb8b9288db9d3574dffc4fe68d20824384bb65de3d9bf2c6b53c03b726272e47419cec1f2f69d0f9ad100fc35fa6dd6bf017c2cc387c456bde3ba2b0ad73be83ab33fa73a083e6bdf8a76b3c7756dc6e9aac97486f467d4b838104cc50d8fe45f078fede0db7b1c3cd064e0fdecef26a6754945eee1b4ca43a684f655c91dac02bb86bdfac6b72aba0fb594dfde6f9f861d6451dd2856fe53d370d39558fd692e6c4c84e8c2a635eff9defe6b756e1f190444ed6c990983e32db54627aba4059fa2ee9336ae1a0d36f5822d34a0905fb0a26561aad8cf84ee589507fbb44e0980c742766b476275e73fbf296fad305d94c2eac1af4d7174548955e1c4ad77cce16875930fd4e85e62d80069f97e5c79e9903b7294687cd6c4a06c36bb1fd512f78a17750eb9e0ac74a97364e332552c33cdbab6e65a7c65b934a79ce5b7f5280aa18669f09c038ba9b65f931ccf4eea9511e8d40247dee912b8e5239e7f4d913d47fabbbfc1cc468aa3529413e90aaed42ea337565da9ccebf99e46a97afebcbd44ef2655fb0819b5efd8137fbc2c26b79325603029cec188e0682b82ad8bbe398e95053fb3ba0445ca92714c9dd1ae95452f33f980db484f8bcb8194d6f2657e3e892e7e6e46f42dd2cbc9bf51279dd065926aead21c074dd0ae165fa5cda2468a3892aaf75a952336918481bf29b084be0a69421d50dfea84c6c41b7fc2a55c38a2edd3e32038ad27194f93a722c647aa22a21d8b8fdbfd16f6f632e", &(0x7f0000001280)=""/4096) ioctl$VIDIOC_SUBDEV_S_FRAME_INTERVAL(r2, 0xc0305616, &(0x7f0000002280)={0x0, {0xcf2d, 0x3f}}) r5 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0x0) [ 2408.607893][T11740] binder: 11738:11740 Release 1 refcount change on invalid ref 0 ret -22 17:26:57 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = add_key$user(&(0x7f0000000100)='user\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)="c867b00f2a071ae72d933a4c30d3", 0xe, 0x0) keyctl$KEYCTL_PKEY_SIGN(0x1b, &(0x7f00000001c0)={r4, 0x3b, 0x283}, &(0x7f0000000200)=ANY=[@ANYBLOB="656e633d706b63733120686173683d63726333322bc8842bfdd60426000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000"], &(0x7f0000000280)="d1d2faeab793125167278067c0b1dc3a09f03e5da46f39bd2ce5d1258cc7c1486471e7cd8998fd74d015647b91a3b259d6053f6f651d6737c166ef3601aca0f45569b796554e1184ba1733dd2dbdbe4d56697cd8dbbd9f18545f22c0e4e4c9aa51f373bb8e390edbe913107916b8be7bff2144b98e880ffaf085b981aed9e9aee5da04fbec8f6e830bd120ce9f563bc224d4b17f8436ebeb99b01220dab352a3625533df9d346c761b554a3852739c42d0560975f288fd06af0ace517455ae532912dffbf981fa150b3d119514458a13220548a04f7612be87e0607ba793bbed1bf209d6c6f0a98d69bff345aa7701f1d81f3dd93b69c2aeb69514e0f0aad72ca7236ca75a31609ee1d55d6379302c553367a707142ff965f042f3e13fc149792651805edefec7582cac098aad37f454b27ec519b6593608166dd40c0b7d2ffe34336689b741935894259a490adafea8363e8b2e27aa7b093ebc334c93783da4ae45e88e90f0790ae5f33fe6bcaf86666a303a07a127d3db8eea4e7c3b1a53779db7dc8a880aaf4bdf65707712b0e54927772fa4a6fd6d49df7bdc315270e4c8901793d2ef46035ae92bc1d0e538c6d317175ac41cd2b40ef3c238a30f60277b7ec47d47613f136900d71582647eeeee70ff00e607c65299ae84514e0ba4f5efa6deea23862419986948e20c1ed58ba8bdef283accb971e0e0e4f5252b65515b6e594551d9bec84a3c9d5ea63c582b60c043430418ef1800556774e87f15ce4963353156bba2444eaf42d2349885c2ae2f3419e80fed29cf7214da9cc5f968c833f0c2d2f083516616e9918171a93c1ea29c1f005b76bd6476c5943761a75ecf7b312942c13afbe230be23f3fe70b34794eda38cfdc9aea6efb719ccad7ef7ebd852fdc3a09f9ba4f0f365e01fee742a7cdc2742a7ef4271b1cf9c7124b3a53bb2de0d84f2b781276113590aef10bd3b310def6e8f8f5f57ba0ceba6b4afe218c68ad3e9fe2aad9d22043c4e5bcedc269cc37d0ccf713903eeb959c45b4d2cd4c874fbec76764a5e6bce53f0a546671ac3575d6f5a7110b3497c68bdbf7179edfef0cec66e392f8d362a1c4899c7a821b277ce38d9d7c577540aefd3fcebab5473a03e3c851205233e66fd892e0929f14facd581ccce60cc2e0fbe79c75372dda0380bdfd9b87b928e65598413c6ea40e771cafe3bb23207fb2bca822c48d6e3420e447a32bc149f39d4290d688dfc913722383e72bb9feb2524a063b547e9d998154c818bc522da52f841c604a2d3a96a9d6cb31cd7a7b212c5ff715d4eeca85de366de843a47d7974b18a64c225bdb793e0c352e6ec0bfe49560ec832cb46c801a9c805f0999454bfaf2a8553b154d4800927510d1053b8870807769af4579de784d05167fbd19685f316b744196534bf719a1eae4c029d948ffa5608a0ef831572a4db65dccf9de0b4c4df58644900459b5eb982247234f6ecd2ca8c14227e52fbf3077ec41c54f6a8c5351ead91b5474864603d8acb3a88fb4082e24f9d0d03acf5ba5e567ca14101bdd4f53fc30cdc972d7994a985b76848b84ea6521599a2dc2a3bd03fd6fa45ad106da57a9962785125c6a4bbd6a06aebca82336d760c66979f4e0b7094f2ef75838e978f5190eb2fd5b6fb49494ee2c9407c06c6a069a2d6f5c376d3dbe9ba346711b996d8f457ce4c154429ebd9c2b837a4eaaf2d60da381cd6f2a51f17e08885e5c3673495923a79a4a0daf88fc64c6a0264c27ed9f45c33314ac76f62fee50a065ddd9c25605bbf4f459f16fe904d1551e197c4931597c0c596b0b213d3353efb51ec5400521c5badc15b48606cab101fdd89e0b1ad743b31546c069278bbc29fa85e7deea633b8fa2b1ef307ea92ee8a17ebfa1905061fdbc4d361782fb805a4f963ebd272eaa29cdb599b0477ccddb4ec840fb209c90e110c9d7cf8593cc244c9287d3d169659c7b827b5279942dcef185ab1d3666c2986e6f6ffbd10437ebb24d28260c9cea45c24183375fec71208c5b5696511992d613ea4722fa48b1a8cdaaac5278652caa0f697538e9652572baf17db09e89f7177e69e1d891c539eb074b3c2af946e1f4880f1576161e6b3ea546100c5ea5a5335f6ce801813e2bcb42faf6928b0cf8e00abb5e88bb2e5faeee528536a5bce43f2f3c3088bb02ab1d787af5f5883d8faa7a1a2bf0b79d1fd61b6a8a455ba1a225c3765bff80f872063d1226e60bad4c53851b8248daa70326d83ffec5573869520f60ca588fb014a22937d10b98a9f14be17d77105f82a1e1e45e8e7015517b608699af77bb94cac36192594554d687280458ec273d52bf74e58eb96c03909adc88bc48cbbc06e77fb9cba10091bdacc6701b23178b860c650fab1df861dcf7902b290c97477bc9c173898c2360c3f12b20ac45bda685cc9b0eef03467f3a08e9ae0cd91992bb6c00c96387a435b1e562623bd3e8864e6e5d22dfab0393723ac1ab915e446e6e5754b69b5f1fbe5c0014e8f300d72e1645eb37ac0191c0fb682f4e4779f92c029f7b475ce2cbb38a7e3981cef9cdb43e7cf9c86a5002990a0bfed4cb0ca9f83ffb7c0d8fb4e369033bec3272ff5764479899536500c62ccfe06000fb12b1362b486803b10255cb122d5dab00cfb45c600533bba581036514b54bb7ed9fb443b37156ffa99f9391db0b58763b1fb5426c95c79bff9e731c97899d6fc4c213b2fa7cbaf9cd6da4d03e203c8e78ecc774eaee88fd786c3250f3ba6913a732a5130be05bfb4d6945260b05c545c4da53141556188ab484adc0f0a502f4f87bcb5072aa182e95c3d5b0e5d6846b2a5e52aec0895e857581be0bf84954d2d136a4ecbd3920ab4a05b89f7db8fd032ec8be31e08fe3b00c31b138503213fe2f15fb1fe0bf1295e4ff79f6eca57899c37f625e52745a6dc50c8054aaa1fca263a68b93ee29844404944a487afe940eea4222c8647ea1c31e9c12890e369a581a7480958f12da944af78cd224b0ea1b5e84cee096d936bb89e7a711af525c9adc898ab6087d7dadb09b0a41f4bf3065e2dd565163898dc18aeefa353300ceced23aa0aeb573d3dac1e6a92169eb0fb9f10d9cbbb52054faf893c5dd39902f9d59d17b77898c18c0ce8305db423e9ce68bb89227b4edc4ba89be7e96a26c8c5ef53c95e8ded8b8aae3f9d8834819a95be11fb81e10e790a7e702c6664ac25f40b4f61a59953f42292775127bb7beba6ff5e9c22bf92349ccc8436695970de42610c61039faa2036c3d3091752a7b53bf44edbc80ec7bcd02992b7eb4ffd6548472dd121eca523ebdf56a4231390c0338764c2dd9014b4b63f00727bd823ca9256d2fb1911fb9343c233d5a6e89231f8e59f1a397da7b4a8795dbb8873a54fe319458b1d0801121939d549a3290e8d42b94a93dc9320146e8feb334144cf394fc718cd5964de0971c756e58fe71203241ce299fe7464ec738da87127901caeb0bcca243c7031e2406fc4d5ed80a973c306c0d2edb7cbc48bd41d2e91a918ef689863ffc45980bed6d591d5059a2fae2c77eab7e027da674b74957166f0de6886e1df5d2b39acae15d148cd205868650d82c7b6a05481d3cbb9559c6053521d262a29afcce0b551f97350d69729b5c53a90063da2690122db7f0eaf0811a2c704b3a0f3d2f2a04a962c56fdb638a83427fe2c58bd2a729d8b33eb3753a7b8dded56f1b38eb1322f69669a9a7a575803fd8ee2b6091200369416ed476aaa19d214ea454108356ed112f860ed1a52db2eec2b1f7b70445da7fe79f1ea845d38d8b37d21f3c2cf2b6464a7c48fbae12e0017f3e94553914eea4b5b988f767350c794cb64ebf2ffa21e2113067593729ebe64a909b82d9a13adaadeda45f0e2a673118b9f7c33659fa6af9594b13dedac1f3d866dc9160cf25cd775c5453845971c9b4021e5933765180369ef279805b1c9f797bb9b187d3eec5daf1d96a0b95b624a9a9a8f2f49260de0b3f9b350844d2085d1a34c2b1bbcf0fa955b4a40cde27bb49e6964bb8ff48bd10b1c86d389bc387516bf32d4e17baac91648cd52525eac4f675fd1f2112ea520029512e2df835fdd4be3146320e5deebfd9d03e3eb35aa64f9eff655a34246fa7710049a026f45d653b60d5fdff23f0aa5b05c2d17b813761a0c315825783977451e14fe252d7c50183fff93e773e1a3752a4057eebbc066eaef02574f2492bc7f313f7818a549ad23e59e69aaa45a978ece8ee948b281d7ba2416b02ebc3cd770288d6eff7ff92c5c1f7c0f5379fe268ac8d5f5fd16ebd65653c72de40674243e6b452c4a48bb297dea206a0823d895bbeb06c7a4a46286c1bbe81b4a6f7f5c12750b274a3d2e690b6d8846eb1da1d20dd28b5c6963a5b8e9c167a5bbda83d68c6a50d4606c1ef39f46499c95e73000668c7387b1f2331a5463da6c719f918c11e37915bac76c3f071e002673f4ea6e859ef57644fca979f6fbbff51872df424cc4342da9b0703a7b37825f56d61db6091628264cd9640987579900002a886b51936694d54be001a272b96bdab2f37d627c71ccb7031ad341cbceb0d606ed583e1f94a7bfe2a94f59a0e8246775c8a9a9c69be981faca33e274fdd3c88bb743087be8e1b477aebce725946b1dc6aaa6d96aacdaa7d833765e5fe23b3ac7eea5fb1a83c7240d2eefcfaba7687cde51cfbcbde1c88d01dd869e69dd100c1654ebac218e895663090b8079e9823ef80a5e266875edcdbd4eaa0887a0edd691bd4776cf0068f888a13c26b2e764a808a2099bc1a2967b8d076f2584e980f1adfaa9ef9e1479398bf9cac5ef7c57ab6ded3099b88432711d01f6d9963d494c71d5ae5838ef89b365728b2d3316cbb2196d64ad8714f20015650e93dff31243d2b728c29fe9b1d2755e8ab8ca2c8a7baae3aeb41ef5c8f3819b47617464da9a8fd2f602856f415006d056b6662eef96a4f2eae532038fed6a57a33f4ff69b66ae703fc9ae609e58d7d12df9ffd4cdc607866cf354990099d7fdb8b9288db9d3574dffc4fe68d20824384bb65de3d9bf2c6b53c03b726272e47419cec1f2f69d0f9ad100fc35fa6dd6bf017c2cc387c456bde3ba2b0ad73be83ab33fa73a083e6bdf8a76b3c7756dc6e9aac97486f467d4b838104cc50d8fe45f078fede0db7b1c3cd064e0fdecef26a6754945eee1b4ca43a684f655c91dac02bb86bdfac6b72aba0fb594dfde6f9f861d6451dd2856fe53d370d39558fd692e6c4c84e8c2a635eff9defe6b756e1f190444ed6c990983e32db54627aba4059fa2ee9336ae1a0d36f5822d34a0905fb0a26561aad8cf84ee589507fbb44e0980c742766b476275e73fbf296fad305d94c2eac1af4d7174548955e1c4ad77cce16875930fd4e85e62d80069f97e5c79e9903b7294687cd6c4a06c36bb1fd512f78a17750eb9e0ac74a97364e332552c33cdbab6e65a7c65b934a79ce5b7f5280aa18669f09c038ba9b65f931ccf4eea9511e8d40247dee912b8e5239e7f4d913d47fabbbfc1cc468aa3529413e90aaed42ea337565da9ccebf99e46a97afebcbd44ef2655fb0819b5efd8137fbc2c26b79325603029cec188e0682b82ad8bbe398e95053fb3ba0445ca92714c9dd1ae95452f33f980db484f8bcb8194d6f2657e3e892e7e6e46f42dd2cbc9bf51279dd065926aead21c074dd0ae165fa5cda2468a3892aaf75a952336918481bf29b084be0a69421d50dfea84c6c41b7fc2a55c38a2edd3e32038ad27194f93a722c647aa22a21d8b8fdbfd16f6f632e", &(0x7f0000001280)=""/4096) ioctl$VIDIOC_SUBDEV_S_FRAME_INTERVAL(r2, 0xc0305616, &(0x7f0000002280)={0x0, {0xcf2d, 0x3f}}) r5 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0x0) [ 2408.668651][T11743] binder_alloc: binder_alloc_mmap_handler: 11738 20001000-20004000 already mapped failed -16 17:26:57 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000003c80)=[{{&(0x7f0000000180)=@in6={0xa, 0x0, 0x0, @local}, 0x80, &(0x7f00000005c0)=[{&(0x7f0000000200)=""/74, 0x4a}, {&(0x7f0000000280)=""/45, 0x2d}, {&(0x7f00000002c0)=""/83, 0x53}, {&(0x7f0000000340)=""/75, 0x4b}, {&(0x7f00000003c0)=""/16, 0x10}, {&(0x7f0000000400)=""/163, 0xa3}, {&(0x7f00000004c0)=""/254, 0xfe}], 0x7}, 0x3}, {{&(0x7f0000000640)=@ll={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, 0x80, &(0x7f0000000700)=[{&(0x7f00000006c0)=""/1, 0x1}], 0x1, &(0x7f0000000740)=""/250, 0xfa}, 0x10000}, {{0x0, 0x0, &(0x7f0000000c00)=[{&(0x7f0000000840)=""/82, 0x52}, {&(0x7f00000008c0)=""/152, 0x98}, {&(0x7f0000000980)=""/124, 0x7c}, {&(0x7f0000000a00)=""/206, 0xce}, {&(0x7f0000000b00)=""/14, 0xe}, {&(0x7f0000000b40)=""/35, 0x23}, {&(0x7f0000000b80)=""/73, 0x49}], 0x7, &(0x7f0000000c80)=""/92, 0x5c}, 0xff}, {{&(0x7f0000000d00)=@rc, 0x80, &(0x7f0000000e80)=[{&(0x7f0000000d80)=""/254, 0xfe}], 0x1, &(0x7f0000000ec0)=""/144, 0x90}, 0x350}, {{&(0x7f0000000f80)=@x25={0x9, @remote}, 0x80, &(0x7f0000002680)=[{&(0x7f0000001000)=""/104, 0x68}, {&(0x7f0000001080)=""/23, 0x17}, {&(0x7f00000010c0)=""/236, 0xec}, {&(0x7f00000011c0)=""/4096, 0x1000}, {&(0x7f00000021c0)=""/69, 0x45}, {&(0x7f0000002240)=""/168, 0xa8}, {&(0x7f0000002300)=""/193, 0xc1}, {&(0x7f0000002400)=""/251, 0xfb}, {&(0x7f0000002500)=""/186, 0xba}, {&(0x7f00000025c0)=""/189, 0xbd}], 0xa, &(0x7f0000002740)=""/4, 0x4}, 0x81}, {{&(0x7f0000002780)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @loopback}}}, 0x80, &(0x7f0000003b00)=[{&(0x7f0000002800)=""/133, 0x85}, {&(0x7f00000028c0)=""/4096, 0x1000}, {&(0x7f00000038c0)=""/113, 0x71}, {&(0x7f0000003940)=""/165, 0xa5}, {&(0x7f0000003a00)=""/4, 0x4}, {&(0x7f0000003a40)=""/69, 0x45}, {&(0x7f0000003ac0)=""/1, 0x1}], 0x7, &(0x7f0000003b80)=""/209, 0xd1}, 0x5}], 0x6, 0x40002022, &(0x7f0000003e40)={r5, r6+30000000}) r7 = getpgrp(0xffffffffffffffff) ioctl$BLKTRACESETUP(r2, 0xc0481273, &(0x7f0000000100)={[], 0x8001, 0x4, 0xf5a3, 0xffff, 0x40, r7}) 17:26:57 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(0xffffffffffffffff, 0x2000c2604110, &(0x7f0000000000)) [ 2408.716304][T11740] binder: BINDER_SET_CONTEXT_MGR already set [ 2408.748874][T11740] binder: 11738:11740 ioctl 40046207 0 returned -16 [ 2408.748975][T11747] binder_alloc: 11738: binder_alloc_buf, no vma 17:26:57 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f00000002c0)='/dev/vbi#\x00', 0x1, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) fsetxattr$trusted_overlay_opaque(r2, &(0x7f0000000000)='trusted.overlay.opaque\x00', &(0x7f0000000280)='y\x00', 0xfffffdfa, 0x1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000400)='./file1\x00', 0x80) mount$bpf(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000019c0)='bpf\x00', 0x0, 0x0) mkdir(&(0x7f0000000200)='./file0/file0\x00', 0x0) mount$bpf(0x0, &(0x7f00000002c0)='./file0\x00', 0x0, 0x100000, 0x0) mount$bpf(0x20000000, &(0x7f00000003c0)='./file0/file0\x00', 0x0, 0x2201001, 0x0) mount$bpf(0x20000000, &(0x7f00000001c0)='./file0\x00', 0x0, 0x2001001, &(0x7f0000000580)=ANY=[]) mount$bpf(0x0, &(0x7f0000000440)='./file0/file0\x00', &(0x7f0000000080)='bpf\x00', 0x0, 0x0) mount$bpf(0x0, &(0x7f0000000180)='./file0\x00', &(0x7f0000000280)='bpf\x00', 0x0, 0x0) mount$bpf(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000001c0)='bpf\x00', 0x0, 0x0) mount$bpf(0x20000000, &(0x7f0000000000)='.\x00', 0x0, 0x0, 0x0) mount$bpf(0x20000000, &(0x7f0000000380)='./file0\x00', &(0x7f0000000100)='bpf\x00', 0x5890, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r0, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0xfffffffffffffe01, 0x500180de7f0002, 0x0, 0xab) r4 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000140)='IPVS\x00') openat$vfio(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vfio/vfio\x00', 0x0, 0x0) sendmsg$IPVS_CMD_SET_DEST(r0, &(0x7f0000000240)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x20002008}, 0xc, &(0x7f0000000200)={&(0x7f0000000180)={0x80, r4, 0x20, 0x70bd2a, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_DAEMON={0x6c, 0x3, [@IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @dev={0xfe, 0x80, [], 0xc}}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e22}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x1000}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e24}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x100000001}, @IPVS_DAEMON_ATTR_STATE={0x8}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @mcast1}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8}, @IPVS_DAEMON_ATTR_STATE={0x8}]}]}, 0x80}, 0x1, 0x0, 0x0, 0x40}, 0x0) [ 2408.812196][T11743] binder: 11738:11743 Release 1 refcount change on invalid ref 0 ret -22 [ 2408.870482][ T2678] binder: release 11738:11740 transaction 1430 out, still active [ 2408.878229][ T2678] binder: unexpected work type, 4, not freed [ 2408.900072][T11747] binder: 11738:11747 transaction failed 29189/-3, size 24-8 line 3147 [ 2408.970067][ T2678] binder: undelivered TRANSACTION_COMPLETE [ 2408.975974][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:26:57 executing program 5: syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20012, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:57 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(0xffffffffffffffff, 0x2000c2604110, &(0x7f0000000000)) [ 2409.046956][ T2678] binder: send failed reply for transaction 1430, target dead [ 2409.145599][T11765] binder_alloc: binder_alloc_mmap_handler: 11762 20001000-20004000 already mapped failed -16 [ 2409.187770][T11763] binder: BINDER_SET_CONTEXT_MGR already set 17:26:58 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = add_key$user(&(0x7f0000000100)='user\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)="c867b00f2a071ae72d933a4c30d3", 0xe, 0x0) keyctl$KEYCTL_PKEY_SIGN(0x1b, &(0x7f00000001c0)={r4, 0x3b, 0x283}, &(0x7f0000000200)=ANY=[@ANYBLOB="656e633d706b63733120686173683d63726333322bc8842bfdd60426000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000"], &(0x7f0000000280)="d1d2faeab793125167278067c0b1dc3a09f03e5da46f39bd2ce5d1258cc7c1486471e7cd8998fd74d015647b91a3b259d6053f6f651d6737c166ef3601aca0f45569b796554e1184ba1733dd2dbdbe4d56697cd8dbbd9f18545f22c0e4e4c9aa51f373bb8e390edbe913107916b8be7bff2144b98e880ffaf085b981aed9e9aee5da04fbec8f6e830bd120ce9f563bc224d4b17f8436ebeb99b01220dab352a3625533df9d346c761b554a3852739c42d0560975f288fd06af0ace517455ae532912dffbf981fa150b3d119514458a13220548a04f7612be87e0607ba793bbed1bf209d6c6f0a98d69bff345aa7701f1d81f3dd93b69c2aeb69514e0f0aad72ca7236ca75a31609ee1d55d6379302c553367a707142ff965f042f3e13fc149792651805edefec7582cac098aad37f454b27ec519b6593608166dd40c0b7d2ffe34336689b741935894259a490adafea8363e8b2e27aa7b093ebc334c93783da4ae45e88e90f0790ae5f33fe6bcaf86666a303a07a127d3db8eea4e7c3b1a53779db7dc8a880aaf4bdf65707712b0e54927772fa4a6fd6d49df7bdc315270e4c8901793d2ef46035ae92bc1d0e538c6d317175ac41cd2b40ef3c238a30f60277b7ec47d47613f136900d71582647eeeee70ff00e607c65299ae84514e0ba4f5efa6deea23862419986948e20c1ed58ba8bdef283accb971e0e0e4f5252b65515b6e594551d9bec84a3c9d5ea63c582b60c043430418ef1800556774e87f15ce4963353156bba2444eaf42d2349885c2ae2f3419e80fed29cf7214da9cc5f968c833f0c2d2f083516616e9918171a93c1ea29c1f005b76bd6476c5943761a75ecf7b312942c13afbe230be23f3fe70b34794eda38cfdc9aea6efb719ccad7ef7ebd852fdc3a09f9ba4f0f365e01fee742a7cdc2742a7ef4271b1cf9c7124b3a53bb2de0d84f2b781276113590aef10bd3b310def6e8f8f5f57ba0ceba6b4afe218c68ad3e9fe2aad9d22043c4e5bcedc269cc37d0ccf713903eeb959c45b4d2cd4c874fbec76764a5e6bce53f0a546671ac3575d6f5a7110b3497c68bdbf7179edfef0cec66e392f8d362a1c4899c7a821b277ce38d9d7c577540aefd3fcebab5473a03e3c851205233e66fd892e0929f14facd581ccce60cc2e0fbe79c75372dda0380bdfd9b87b928e65598413c6ea40e771cafe3bb23207fb2bca822c48d6e3420e447a32bc149f39d4290d688dfc913722383e72bb9feb2524a063b547e9d998154c818bc522da52f841c604a2d3a96a9d6cb31cd7a7b212c5ff715d4eeca85de366de843a47d7974b18a64c225bdb793e0c352e6ec0bfe49560ec832cb46c801a9c805f0999454bfaf2a8553b154d4800927510d1053b8870807769af4579de784d05167fbd19685f316b744196534bf719a1eae4c029d948ffa5608a0ef831572a4db65dccf9de0b4c4df58644900459b5eb982247234f6ecd2ca8c14227e52fbf3077ec41c54f6a8c5351ead91b5474864603d8acb3a88fb4082e24f9d0d03acf5ba5e567ca14101bdd4f53fc30cdc972d7994a985b76848b84ea6521599a2dc2a3bd03fd6fa45ad106da57a9962785125c6a4bbd6a06aebca82336d760c66979f4e0b7094f2ef75838e978f5190eb2fd5b6fb49494ee2c9407c06c6a069a2d6f5c376d3dbe9ba346711b996d8f457ce4c154429ebd9c2b837a4eaaf2d60da381cd6f2a51f17e08885e5c3673495923a79a4a0daf88fc64c6a0264c27ed9f45c33314ac76f62fee50a065ddd9c25605bbf4f459f16fe904d1551e197c4931597c0c596b0b213d3353efb51ec5400521c5badc15b48606cab101fdd89e0b1ad743b31546c069278bbc29fa85e7deea633b8fa2b1ef307ea92ee8a17ebfa1905061fdbc4d361782fb805a4f963ebd272eaa29cdb599b0477ccddb4ec840fb209c90e110c9d7cf8593cc244c9287d3d169659c7b827b5279942dcef185ab1d3666c2986e6f6ffbd10437ebb24d28260c9cea45c24183375fec71208c5b5696511992d613ea4722fa48b1a8cdaaac5278652caa0f697538e9652572baf17db09e89f7177e69e1d891c539eb074b3c2af946e1f4880f1576161e6b3ea546100c5ea5a5335f6ce801813e2bcb42faf6928b0cf8e00abb5e88bb2e5faeee528536a5bce43f2f3c3088bb02ab1d787af5f5883d8faa7a1a2bf0b79d1fd61b6a8a455ba1a225c3765bff80f872063d1226e60bad4c53851b8248daa70326d83ffec5573869520f60ca588fb014a22937d10b98a9f14be17d77105f82a1e1e45e8e7015517b608699af77bb94cac36192594554d687280458ec273d52bf74e58eb96c03909adc88bc48cbbc06e77fb9cba10091bdacc6701b23178b860c650fab1df861dcf7902b290c97477bc9c173898c2360c3f12b20ac45bda685cc9b0eef03467f3a08e9ae0cd91992bb6c00c96387a435b1e562623bd3e8864e6e5d22dfab0393723ac1ab915e446e6e5754b69b5f1fbe5c0014e8f300d72e1645eb37ac0191c0fb682f4e4779f92c029f7b475ce2cbb38a7e3981cef9cdb43e7cf9c86a5002990a0bfed4cb0ca9f83ffb7c0d8fb4e369033bec3272ff5764479899536500c62ccfe06000fb12b1362b486803b10255cb122d5dab00cfb45c600533bba581036514b54bb7ed9fb443b37156ffa99f9391db0b58763b1fb5426c95c79bff9e731c97899d6fc4c213b2fa7cbaf9cd6da4d03e203c8e78ecc774eaee88fd786c3250f3ba6913a732a5130be05bfb4d6945260b05c545c4da53141556188ab484adc0f0a502f4f87bcb5072aa182e95c3d5b0e5d6846b2a5e52aec0895e857581be0bf84954d2d136a4ecbd3920ab4a05b89f7db8fd032ec8be31e08fe3b00c31b138503213fe2f15fb1fe0bf1295e4ff79f6eca57899c37f625e52745a6dc50c8054aaa1fca263a68b93ee29844404944a487afe940eea4222c8647ea1c31e9c12890e369a581a7480958f12da944af78cd224b0ea1b5e84cee096d936bb89e7a711af525c9adc898ab6087d7dadb09b0a41f4bf3065e2dd565163898dc18aeefa353300ceced23aa0aeb573d3dac1e6a92169eb0fb9f10d9cbbb52054faf893c5dd39902f9d59d17b77898c18c0ce8305db423e9ce68bb89227b4edc4ba89be7e96a26c8c5ef53c95e8ded8b8aae3f9d8834819a95be11fb81e10e790a7e702c6664ac25f40b4f61a59953f42292775127bb7beba6ff5e9c22bf92349ccc8436695970de42610c61039faa2036c3d3091752a7b53bf44edbc80ec7bcd02992b7eb4ffd6548472dd121eca523ebdf56a4231390c0338764c2dd9014b4b63f00727bd823ca9256d2fb1911fb9343c233d5a6e89231f8e59f1a397da7b4a8795dbb8873a54fe319458b1d0801121939d549a3290e8d42b94a93dc9320146e8feb334144cf394fc718cd5964de0971c756e58fe71203241ce299fe7464ec738da87127901caeb0bcca243c7031e2406fc4d5ed80a973c306c0d2edb7cbc48bd41d2e91a918ef689863ffc45980bed6d591d5059a2fae2c77eab7e027da674b74957166f0de6886e1df5d2b39acae15d148cd205868650d82c7b6a05481d3cbb9559c6053521d262a29afcce0b551f97350d69729b5c53a90063da2690122db7f0eaf0811a2c704b3a0f3d2f2a04a962c56fdb638a83427fe2c58bd2a729d8b33eb3753a7b8dded56f1b38eb1322f69669a9a7a575803fd8ee2b6091200369416ed476aaa19d214ea454108356ed112f860ed1a52db2eec2b1f7b70445da7fe79f1ea845d38d8b37d21f3c2cf2b6464a7c48fbae12e0017f3e94553914eea4b5b988f767350c794cb64ebf2ffa21e2113067593729ebe64a909b82d9a13adaadeda45f0e2a673118b9f7c33659fa6af9594b13dedac1f3d866dc9160cf25cd775c5453845971c9b4021e5933765180369ef279805b1c9f797bb9b187d3eec5daf1d96a0b95b624a9a9a8f2f49260de0b3f9b350844d2085d1a34c2b1bbcf0fa955b4a40cde27bb49e6964bb8ff48bd10b1c86d389bc387516bf32d4e17baac91648cd52525eac4f675fd1f2112ea520029512e2df835fdd4be3146320e5deebfd9d03e3eb35aa64f9eff655a34246fa7710049a026f45d653b60d5fdff23f0aa5b05c2d17b813761a0c315825783977451e14fe252d7c50183fff93e773e1a3752a4057eebbc066eaef02574f2492bc7f313f7818a549ad23e59e69aaa45a978ece8ee948b281d7ba2416b02ebc3cd770288d6eff7ff92c5c1f7c0f5379fe268ac8d5f5fd16ebd65653c72de40674243e6b452c4a48bb297dea206a0823d895bbeb06c7a4a46286c1bbe81b4a6f7f5c12750b274a3d2e690b6d8846eb1da1d20dd28b5c6963a5b8e9c167a5bbda83d68c6a50d4606c1ef39f46499c95e73000668c7387b1f2331a5463da6c719f918c11e37915bac76c3f071e002673f4ea6e859ef57644fca979f6fbbff51872df424cc4342da9b0703a7b37825f56d61db6091628264cd9640987579900002a886b51936694d54be001a272b96bdab2f37d627c71ccb7031ad341cbceb0d606ed583e1f94a7bfe2a94f59a0e8246775c8a9a9c69be981faca33e274fdd3c88bb743087be8e1b477aebce725946b1dc6aaa6d96aacdaa7d833765e5fe23b3ac7eea5fb1a83c7240d2eefcfaba7687cde51cfbcbde1c88d01dd869e69dd100c1654ebac218e895663090b8079e9823ef80a5e266875edcdbd4eaa0887a0edd691bd4776cf0068f888a13c26b2e764a808a2099bc1a2967b8d076f2584e980f1adfaa9ef9e1479398bf9cac5ef7c57ab6ded3099b88432711d01f6d9963d494c71d5ae5838ef89b365728b2d3316cbb2196d64ad8714f20015650e93dff31243d2b728c29fe9b1d2755e8ab8ca2c8a7baae3aeb41ef5c8f3819b47617464da9a8fd2f602856f415006d056b6662eef96a4f2eae532038fed6a57a33f4ff69b66ae703fc9ae609e58d7d12df9ffd4cdc607866cf354990099d7fdb8b9288db9d3574dffc4fe68d20824384bb65de3d9bf2c6b53c03b726272e47419cec1f2f69d0f9ad100fc35fa6dd6bf017c2cc387c456bde3ba2b0ad73be83ab33fa73a083e6bdf8a76b3c7756dc6e9aac97486f467d4b838104cc50d8fe45f078fede0db7b1c3cd064e0fdecef26a6754945eee1b4ca43a684f655c91dac02bb86bdfac6b72aba0fb594dfde6f9f861d6451dd2856fe53d370d39558fd692e6c4c84e8c2a635eff9defe6b756e1f190444ed6c990983e32db54627aba4059fa2ee9336ae1a0d36f5822d34a0905fb0a26561aad8cf84ee589507fbb44e0980c742766b476275e73fbf296fad305d94c2eac1af4d7174548955e1c4ad77cce16875930fd4e85e62d80069f97e5c79e9903b7294687cd6c4a06c36bb1fd512f78a17750eb9e0ac74a97364e332552c33cdbab6e65a7c65b934a79ce5b7f5280aa18669f09c038ba9b65f931ccf4eea9511e8d40247dee912b8e5239e7f4d913d47fabbbfc1cc468aa3529413e90aaed42ea337565da9ccebf99e46a97afebcbd44ef2655fb0819b5efd8137fbc2c26b79325603029cec188e0682b82ad8bbe398e95053fb3ba0445ca92714c9dd1ae95452f33f980db484f8bcb8194d6f2657e3e892e7e6e46f42dd2cbc9bf51279dd065926aead21c074dd0ae165fa5cda2468a3892aaf75a952336918481bf29b084be0a69421d50dfea84c6c41b7fc2a55c38a2edd3e32038ad27194f93a722c647aa22a21d8b8fdbfd16f6f632e", &(0x7f0000001280)=""/4096) ioctl$VIDIOC_SUBDEV_S_FRAME_INTERVAL(r2, 0xc0305616, &(0x7f0000002280)={0x0, {0xcf2d, 0x3f}}) r5 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0x0) 17:26:58 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x0, &(0x7f0000000000)) 17:26:58 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = add_key$user(&(0x7f0000000100)='user\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)="c867b00f2a071ae72d933a4c30d3", 0xe, 0x0) keyctl$KEYCTL_PKEY_SIGN(0x1b, &(0x7f00000001c0)={r4, 0x3b, 0x283}, &(0x7f0000000200)=ANY=[@ANYBLOB="656e633d706b63733120686173683d63726333322bc8842bfdd60426000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000"], &(0x7f0000000280)="d1d2faeab793125167278067c0b1dc3a09f03e5da46f39bd2ce5d1258cc7c1486471e7cd8998fd74d015647b91a3b259d6053f6f651d6737c166ef3601aca0f45569b796554e1184ba1733dd2dbdbe4d56697cd8dbbd9f18545f22c0e4e4c9aa51f373bb8e390edbe913107916b8be7bff2144b98e880ffaf085b981aed9e9aee5da04fbec8f6e830bd120ce9f563bc224d4b17f8436ebeb99b01220dab352a3625533df9d346c761b554a3852739c42d0560975f288fd06af0ace517455ae532912dffbf981fa150b3d119514458a13220548a04f7612be87e0607ba793bbed1bf209d6c6f0a98d69bff345aa7701f1d81f3dd93b69c2aeb69514e0f0aad72ca7236ca75a31609ee1d55d6379302c553367a707142ff965f042f3e13fc149792651805edefec7582cac098aad37f454b27ec519b6593608166dd40c0b7d2ffe34336689b741935894259a490adafea8363e8b2e27aa7b093ebc334c93783da4ae45e88e90f0790ae5f33fe6bcaf86666a303a07a127d3db8eea4e7c3b1a53779db7dc8a880aaf4bdf65707712b0e54927772fa4a6fd6d49df7bdc315270e4c8901793d2ef46035ae92bc1d0e538c6d317175ac41cd2b40ef3c238a30f60277b7ec47d47613f136900d71582647eeeee70ff00e607c65299ae84514e0ba4f5efa6deea23862419986948e20c1ed58ba8bdef283accb971e0e0e4f5252b65515b6e594551d9bec84a3c9d5ea63c582b60c043430418ef1800556774e87f15ce4963353156bba2444eaf42d2349885c2ae2f3419e80fed29cf7214da9cc5f968c833f0c2d2f083516616e9918171a93c1ea29c1f005b76bd6476c5943761a75ecf7b312942c13afbe230be23f3fe70b34794eda38cfdc9aea6efb719ccad7ef7ebd852fdc3a09f9ba4f0f365e01fee742a7cdc2742a7ef4271b1cf9c7124b3a53bb2de0d84f2b781276113590aef10bd3b310def6e8f8f5f57ba0ceba6b4afe218c68ad3e9fe2aad9d22043c4e5bcedc269cc37d0ccf713903eeb959c45b4d2cd4c874fbec76764a5e6bce53f0a546671ac3575d6f5a7110b3497c68bdbf7179edfef0cec66e392f8d362a1c4899c7a821b277ce38d9d7c577540aefd3fcebab5473a03e3c851205233e66fd892e0929f14facd581ccce60cc2e0fbe79c75372dda0380bdfd9b87b928e65598413c6ea40e771cafe3bb23207fb2bca822c48d6e3420e447a32bc149f39d4290d688dfc913722383e72bb9feb2524a063b547e9d998154c818bc522da52f841c604a2d3a96a9d6cb31cd7a7b212c5ff715d4eeca85de366de843a47d7974b18a64c225bdb793e0c352e6ec0bfe49560ec832cb46c801a9c805f0999454bfaf2a8553b154d4800927510d1053b8870807769af4579de784d05167fbd19685f316b744196534bf719a1eae4c029d948ffa5608a0ef831572a4db65dccf9de0b4c4df58644900459b5eb982247234f6ecd2ca8c14227e52fbf3077ec41c54f6a8c5351ead91b5474864603d8acb3a88fb4082e24f9d0d03acf5ba5e567ca14101bdd4f53fc30cdc972d7994a985b76848b84ea6521599a2dc2a3bd03fd6fa45ad106da57a9962785125c6a4bbd6a06aebca82336d760c66979f4e0b7094f2ef75838e978f5190eb2fd5b6fb49494ee2c9407c06c6a069a2d6f5c376d3dbe9ba346711b996d8f457ce4c154429ebd9c2b837a4eaaf2d60da381cd6f2a51f17e08885e5c3673495923a79a4a0daf88fc64c6a0264c27ed9f45c33314ac76f62fee50a065ddd9c25605bbf4f459f16fe904d1551e197c4931597c0c596b0b213d3353efb51ec5400521c5badc15b48606cab101fdd89e0b1ad743b31546c069278bbc29fa85e7deea633b8fa2b1ef307ea92ee8a17ebfa1905061fdbc4d361782fb805a4f963ebd272eaa29cdb599b0477ccddb4ec840fb209c90e110c9d7cf8593cc244c9287d3d169659c7b827b5279942dcef185ab1d3666c2986e6f6ffbd10437ebb24d28260c9cea45c24183375fec71208c5b5696511992d613ea4722fa48b1a8cdaaac5278652caa0f697538e9652572baf17db09e89f7177e69e1d891c539eb074b3c2af946e1f4880f1576161e6b3ea546100c5ea5a5335f6ce801813e2bcb42faf6928b0cf8e00abb5e88bb2e5faeee528536a5bce43f2f3c3088bb02ab1d787af5f5883d8faa7a1a2bf0b79d1fd61b6a8a455ba1a225c3765bff80f872063d1226e60bad4c53851b8248daa70326d83ffec5573869520f60ca588fb014a22937d10b98a9f14be17d77105f82a1e1e45e8e7015517b608699af77bb94cac36192594554d687280458ec273d52bf74e58eb96c03909adc88bc48cbbc06e77fb9cba10091bdacc6701b23178b860c650fab1df861dcf7902b290c97477bc9c173898c2360c3f12b20ac45bda685cc9b0eef03467f3a08e9ae0cd91992bb6c00c96387a435b1e562623bd3e8864e6e5d22dfab0393723ac1ab915e446e6e5754b69b5f1fbe5c0014e8f300d72e1645eb37ac0191c0fb682f4e4779f92c029f7b475ce2cbb38a7e3981cef9cdb43e7cf9c86a5002990a0bfed4cb0ca9f83ffb7c0d8fb4e369033bec3272ff5764479899536500c62ccfe06000fb12b1362b486803b10255cb122d5dab00cfb45c600533bba581036514b54bb7ed9fb443b37156ffa99f9391db0b58763b1fb5426c95c79bff9e731c97899d6fc4c213b2fa7cbaf9cd6da4d03e203c8e78ecc774eaee88fd786c3250f3ba6913a732a5130be05bfb4d6945260b05c545c4da53141556188ab484adc0f0a502f4f87bcb5072aa182e95c3d5b0e5d6846b2a5e52aec0895e857581be0bf84954d2d136a4ecbd3920ab4a05b89f7db8fd032ec8be31e08fe3b00c31b138503213fe2f15fb1fe0bf1295e4ff79f6eca57899c37f625e52745a6dc50c8054aaa1fca263a68b93ee29844404944a487afe940eea4222c8647ea1c31e9c12890e369a581a7480958f12da944af78cd224b0ea1b5e84cee096d936bb89e7a711af525c9adc898ab6087d7dadb09b0a41f4bf3065e2dd565163898dc18aeefa353300ceced23aa0aeb573d3dac1e6a92169eb0fb9f10d9cbbb52054faf893c5dd39902f9d59d17b77898c18c0ce8305db423e9ce68bb89227b4edc4ba89be7e96a26c8c5ef53c95e8ded8b8aae3f9d8834819a95be11fb81e10e790a7e702c6664ac25f40b4f61a59953f42292775127bb7beba6ff5e9c22bf92349ccc8436695970de42610c61039faa2036c3d3091752a7b53bf44edbc80ec7bcd02992b7eb4ffd6548472dd121eca523ebdf56a4231390c0338764c2dd9014b4b63f00727bd823ca9256d2fb1911fb9343c233d5a6e89231f8e59f1a397da7b4a8795dbb8873a54fe319458b1d0801121939d549a3290e8d42b94a93dc9320146e8feb334144cf394fc718cd5964de0971c756e58fe71203241ce299fe7464ec738da87127901caeb0bcca243c7031e2406fc4d5ed80a973c306c0d2edb7cbc48bd41d2e91a918ef689863ffc45980bed6d591d5059a2fae2c77eab7e027da674b74957166f0de6886e1df5d2b39acae15d148cd205868650d82c7b6a05481d3cbb9559c6053521d262a29afcce0b551f97350d69729b5c53a90063da2690122db7f0eaf0811a2c704b3a0f3d2f2a04a962c56fdb638a83427fe2c58bd2a729d8b33eb3753a7b8dded56f1b38eb1322f69669a9a7a575803fd8ee2b6091200369416ed476aaa19d214ea454108356ed112f860ed1a52db2eec2b1f7b70445da7fe79f1ea845d38d8b37d21f3c2cf2b6464a7c48fbae12e0017f3e94553914eea4b5b988f767350c794cb64ebf2ffa21e2113067593729ebe64a909b82d9a13adaadeda45f0e2a673118b9f7c33659fa6af9594b13dedac1f3d866dc9160cf25cd775c5453845971c9b4021e5933765180369ef279805b1c9f797bb9b187d3eec5daf1d96a0b95b624a9a9a8f2f49260de0b3f9b350844d2085d1a34c2b1bbcf0fa955b4a40cde27bb49e6964bb8ff48bd10b1c86d389bc387516bf32d4e17baac91648cd52525eac4f675fd1f2112ea520029512e2df835fdd4be3146320e5deebfd9d03e3eb35aa64f9eff655a34246fa7710049a026f45d653b60d5fdff23f0aa5b05c2d17b813761a0c315825783977451e14fe252d7c50183fff93e773e1a3752a4057eebbc066eaef02574f2492bc7f313f7818a549ad23e59e69aaa45a978ece8ee948b281d7ba2416b02ebc3cd770288d6eff7ff92c5c1f7c0f5379fe268ac8d5f5fd16ebd65653c72de40674243e6b452c4a48bb297dea206a0823d895bbeb06c7a4a46286c1bbe81b4a6f7f5c12750b274a3d2e690b6d8846eb1da1d20dd28b5c6963a5b8e9c167a5bbda83d68c6a50d4606c1ef39f46499c95e73000668c7387b1f2331a5463da6c719f918c11e37915bac76c3f071e002673f4ea6e859ef57644fca979f6fbbff51872df424cc4342da9b0703a7b37825f56d61db6091628264cd9640987579900002a886b51936694d54be001a272b96bdab2f37d627c71ccb7031ad341cbceb0d606ed583e1f94a7bfe2a94f59a0e8246775c8a9a9c69be981faca33e274fdd3c88bb743087be8e1b477aebce725946b1dc6aaa6d96aacdaa7d833765e5fe23b3ac7eea5fb1a83c7240d2eefcfaba7687cde51cfbcbde1c88d01dd869e69dd100c1654ebac218e895663090b8079e9823ef80a5e266875edcdbd4eaa0887a0edd691bd4776cf0068f888a13c26b2e764a808a2099bc1a2967b8d076f2584e980f1adfaa9ef9e1479398bf9cac5ef7c57ab6ded3099b88432711d01f6d9963d494c71d5ae5838ef89b365728b2d3316cbb2196d64ad8714f20015650e93dff31243d2b728c29fe9b1d2755e8ab8ca2c8a7baae3aeb41ef5c8f3819b47617464da9a8fd2f602856f415006d056b6662eef96a4f2eae532038fed6a57a33f4ff69b66ae703fc9ae609e58d7d12df9ffd4cdc607866cf354990099d7fdb8b9288db9d3574dffc4fe68d20824384bb65de3d9bf2c6b53c03b726272e47419cec1f2f69d0f9ad100fc35fa6dd6bf017c2cc387c456bde3ba2b0ad73be83ab33fa73a083e6bdf8a76b3c7756dc6e9aac97486f467d4b838104cc50d8fe45f078fede0db7b1c3cd064e0fdecef26a6754945eee1b4ca43a684f655c91dac02bb86bdfac6b72aba0fb594dfde6f9f861d6451dd2856fe53d370d39558fd692e6c4c84e8c2a635eff9defe6b756e1f190444ed6c990983e32db54627aba4059fa2ee9336ae1a0d36f5822d34a0905fb0a26561aad8cf84ee589507fbb44e0980c742766b476275e73fbf296fad305d94c2eac1af4d7174548955e1c4ad77cce16875930fd4e85e62d80069f97e5c79e9903b7294687cd6c4a06c36bb1fd512f78a17750eb9e0ac74a97364e332552c33cdbab6e65a7c65b934a79ce5b7f5280aa18669f09c038ba9b65f931ccf4eea9511e8d40247dee912b8e5239e7f4d913d47fabbbfc1cc468aa3529413e90aaed42ea337565da9ccebf99e46a97afebcbd44ef2655fb0819b5efd8137fbc2c26b79325603029cec188e0682b82ad8bbe398e95053fb3ba0445ca92714c9dd1ae95452f33f980db484f8bcb8194d6f2657e3e892e7e6e46f42dd2cbc9bf51279dd065926aead21c074dd0ae165fa5cda2468a3892aaf75a952336918481bf29b084be0a69421d50dfea84c6c41b7fc2a55c38a2edd3e32038ad27194f93a722c647aa22a21d8b8fdbfd16f6f632e", &(0x7f0000001280)=""/4096) ioctl$VIDIOC_SUBDEV_S_FRAME_INTERVAL(r2, 0xc0305616, &(0x7f0000002280)={0x0, {0xcf2d, 0x3f}}) r5 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0x0) [ 2409.250350][T11763] binder: 11762:11763 ioctl 40046207 0 returned -16 17:26:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = dup3(r0, r0, 0x80000) write$P9_RLINK(r1, &(0x7f0000000040)={0x7, 0x47, 0x2}, 0x7) r2 = syz_open_dev$binder(0x0, 0x0, 0x40000400000802) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000180)={0x78, 0x0, &(0x7f0000000100)=[@reply={0x40406301, {0x0, 0x0, 0x4, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000080), &(0x7f00000000c0)}}, @release, @clear_death={0x400c630f, 0x2, 0x3}, @exit_looper, @clear_death={0x400c630f, 0x4, 0x3}, @acquire={0x40046305, 0x2}], 0xe9, 0x0, &(0x7f00000003c0)="28c764cb4e4592f434050d42f5bc1a497a89d22d407942d0eba5bb093cc3d831ae46285a30c0f578222b9029ceb34ec6f78324aaf0a26adb62d238055d54d4c09a9766f1e7a887f8add45e381765b0c074001e2e72c979638c237a4e6310f00734fe938c5a4d96c906be8477d16a19598445c4c484361fc2ea801abaaa894ce870b6da7f713f32c9293f93515ee8383043774ca849d33d4436443484cc538dd533c76af220d237d3c4723d8cc2348c4a6710d2c794005a401abe5e0cfeecca8331c2490784c52a4fb2e672d24e8e1ef03487acd58e24399a2226f4701a62685b4ff8fc8c7b4ca891ee"}) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="266304e6427854b2a85319eeff07000040"], 0x0, 0x0, 0x0}) 17:26:58 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x0, &(0x7f0000000000)) [ 2409.427611][T11776] binder: 11775:11776 got reply transaction with no transaction stack 17:26:58 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) openat$vcs(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vcs\x00', 0x0, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) setns(r0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2409.532748][T11776] binder: 11775:11776 transaction failed 29201/-71, size 0-0 line 2899 17:26:58 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) fchmod(r0, 0x2) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$KVM_SET_DEVICE_ATTR(r0, 0x4018aee1, &(0x7f0000000140)={0x0, 0x0, 0x7, &(0x7f0000000100)=0x8}) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:58 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x0, &(0x7f0000000000)) [ 2409.614383][T11784] binder_alloc: binder_alloc_mmap_handler: 11775 20001000-20004000 already mapped failed -16 [ 2409.677458][T11776] binder: 11775:11776 got reply transaction with no transaction stack [ 2409.724495][T11789] binder: BINDER_SET_CONTEXT_MGR already set [ 2409.749130][T11789] binder: 11775:11789 ioctl 40046207 0 returned -16 17:26:58 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, 0x0) 17:26:58 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f00000002c0)='/dev/vbi#\x00', 0x1, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) fsetxattr$trusted_overlay_opaque(r2, &(0x7f0000000000)='trusted.overlay.opaque\x00', &(0x7f0000000280)='y\x00', 0xfffffdfa, 0x1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000400)='./file1\x00', 0x80) mount$bpf(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000019c0)='bpf\x00', 0x0, 0x0) mkdir(&(0x7f0000000200)='./file0/file0\x00', 0x0) mount$bpf(0x0, &(0x7f00000002c0)='./file0\x00', 0x0, 0x100000, 0x0) mount$bpf(0x20000000, &(0x7f00000003c0)='./file0/file0\x00', 0x0, 0x2201001, 0x0) mount$bpf(0x20000000, &(0x7f00000001c0)='./file0\x00', 0x0, 0x2001001, &(0x7f0000000580)=ANY=[]) mount$bpf(0x0, &(0x7f0000000440)='./file0/file0\x00', &(0x7f0000000080)='bpf\x00', 0x0, 0x0) mount$bpf(0x0, &(0x7f0000000180)='./file0\x00', &(0x7f0000000280)='bpf\x00', 0x0, 0x0) mount$bpf(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000001c0)='bpf\x00', 0x0, 0x0) mount$bpf(0x20000000, &(0x7f0000000000)='.\x00', 0x0, 0x0, 0x0) mount$bpf(0x20000000, &(0x7f0000000380)='./file0\x00', &(0x7f0000000100)='bpf\x00', 0x5890, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r0, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0xfffffffffffffe01, 0x500180de7f0002, 0x0, 0xab) r4 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000140)='IPVS\x00') openat$vfio(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vfio/vfio\x00', 0x0, 0x0) sendmsg$IPVS_CMD_SET_DEST(r0, &(0x7f0000000240)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x20002008}, 0xc, &(0x7f0000000200)={&(0x7f0000000180)={0x80, r4, 0x20, 0x70bd2a, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_DAEMON={0x6c, 0x3, [@IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @dev={0xfe, 0x80, [], 0xc}}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e22}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x1000}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e24}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x100000001}, @IPVS_DAEMON_ATTR_STATE={0x8}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @mcast1}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8}, @IPVS_DAEMON_ATTR_STATE={0x8}]}]}, 0x80}, 0x1, 0x0, 0x0, 0x40}, 0x0) [ 2409.785786][T11780] binder_alloc: 11775: binder_alloc_buf, no vma [ 2409.814282][T12655] binder: release 11775:11784 transaction 1437 out, still active [ 2409.823853][T11776] binder: 11775:11776 transaction failed 29201/-71, size 0-0 line 2899 [ 2409.840901][T12655] binder: unexpected work type, 4, not freed [ 2409.865846][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2409.899113][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:26:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x12, 0x40) setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_REM(r2, 0x84, 0x65, &(0x7f0000000040)=[@in={0x2, 0x4e21, @rand_addr=0x4}, @in={0x2, 0x4e22, @multicast1}], 0x20) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:26:58 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x9400, 0x0, 0xa0008000) [ 2409.960436][T12655] binder: send failed reply for transaction 1437, target dead 17:26:58 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, 0x0) 17:26:58 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2410.150374][T11803] binder: BINDER_SET_CONTEXT_MGR already set [ 2410.213009][T11806] binder_alloc: 11798: binder_alloc_buf, no vma [ 2410.219549][T11803] binder: 11798:11803 ioctl 40046207 0 returned -16 [ 2410.243192][T11806] binder_transaction: 1 callbacks suppressed [ 2410.243211][T11806] binder: 11798:11806 transaction failed 29189/-3, size 24-8 line 3147 17:26:59 executing program 3: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, 0x0) [ 2410.255719][T12655] binder: send failed reply for transaction 1443 to 11798:11803 17:26:59 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f00000002c0)='/dev/vbi#\x00', 0x1, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) fsetxattr$trusted_overlay_opaque(r2, &(0x7f0000000000)='trusted.overlay.opaque\x00', &(0x7f0000000280)='y\x00', 0xfffffdfa, 0x1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000400)='./file1\x00', 0x80) mount$bpf(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000019c0)='bpf\x00', 0x0, 0x0) mkdir(&(0x7f0000000200)='./file0/file0\x00', 0x0) mount$bpf(0x0, &(0x7f00000002c0)='./file0\x00', 0x0, 0x100000, 0x0) mount$bpf(0x20000000, &(0x7f00000003c0)='./file0/file0\x00', 0x0, 0x2201001, 0x0) mount$bpf(0x20000000, &(0x7f00000001c0)='./file0\x00', 0x0, 0x2001001, &(0x7f0000000580)=ANY=[]) mount$bpf(0x0, &(0x7f0000000440)='./file0/file0\x00', &(0x7f0000000080)='bpf\x00', 0x0, 0x0) mount$bpf(0x0, &(0x7f0000000180)='./file0\x00', &(0x7f0000000280)='bpf\x00', 0x0, 0x0) mount$bpf(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000001c0)='bpf\x00', 0x0, 0x0) mount$bpf(0x20000000, &(0x7f0000000000)='.\x00', 0x0, 0x0, 0x0) mount$bpf(0x20000000, &(0x7f0000000380)='./file0\x00', &(0x7f0000000100)='bpf\x00', 0x5890, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r0, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0xfffffffffffffe01, 0x500180de7f0002, 0x0, 0xab) r4 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000140)='IPVS\x00') openat$vfio(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vfio/vfio\x00', 0x0, 0x0) sendmsg$IPVS_CMD_SET_DEST(r0, &(0x7f0000000240)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x20002008}, 0xc, &(0x7f0000000200)={&(0x7f0000000180)={0x80, r4, 0x20, 0x70bd2a, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_DAEMON={0x6c, 0x3, [@IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @dev={0xfe, 0x80, [], 0xc}}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e22}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x1000}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e24}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x100000001}, @IPVS_DAEMON_ATTR_STATE={0x8}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @mcast1}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8}, @IPVS_DAEMON_ATTR_STATE={0x8}]}]}, 0x80}, 0x1, 0x0, 0x0, 0x40}, 0x0) [ 2410.327545][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2410.359941][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2410.365785][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:26:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f00000000c0)='TIPCv2\x00') sendmsg$TIPC_NL_PEER_REMOVE(r1, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000001c0)={0x14, r2, 0x221, 0x0, 0x0, {0xa}}, 0x14}}, 0x0) r3 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x2) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000080)={0x18e, 0x0, &(0x7f00000000c0)=ANY=[], 0xfffe, 0x0, 0x0}) r4 = syz_open_dev$radio(&(0x7f0000000280)='/dev/radio#\x00', 0x3, 0x2) ioctl$ASHMEM_PURGE_ALL_CACHES(r4, 0x770a, 0x0) r5 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x0, 0x0) r6 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100)='TIPCv2\x00') getsockopt$IP_VS_SO_GET_VERSION(r4, 0x0, 0x480, &(0x7f0000000140), &(0x7f0000000380)=0x40) sendmsg$TIPC_NL_BEARER_DISABLE(r5, &(0x7f0000000180)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x20}, 0xc, &(0x7f00000002c0)={&(0x7f0000000440)={0xb0, r6, 0x14, 0x70bd29, 0x25dfdbfe, {}, [@TIPC_NLA_LINK={0x98, 0x4, [@TIPC_NLA_LINK_PROP={0x4c, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4d89}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7f}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x6}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x100}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x100000000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x10000}]}, @TIPC_NLA_LINK_PROP={0x34, 0x7, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x4}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1d}, @TIPC_NLA_PROP_MTU={0x8}, @TIPC_NLA_PROP_TOL={0x8}]}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}]}, @TIPC_NLA_MEDIA={0x4}]}, 0xb0}}, 0x80) 17:26:59 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:59 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r3 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r3, 0x84, 0xa, &(0x7f0000000100)={0x4, 0x7ba, 0x8, 0x1, 0x5, 0x2, 0x7, 0x5, 0x0}, &(0x7f0000000140)=0x20) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r1, 0x84, 0x7c, &(0x7f0000000180)={r5, 0x4, 0xe8b5}, 0x8) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x4) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) ioctl$FS_IOC_GETFSLABEL(r0, 0x81009431, &(0x7f00000001c0)) 17:26:59 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) fchmod(r0, 0x2) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$KVM_SET_DEVICE_ATTR(r0, 0x4018aee1, &(0x7f0000000140)={0x0, 0x0, 0x7, &(0x7f0000000100)=0x8}) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2410.549969][T11820] binder: 11817:11820 unknown command 1129335124 [ 2410.559424][T11820] binder: 11817:11820 ioctl c0306201 20000080 returned -22 [ 2410.631341][T11825] binder_alloc: 11817: binder_alloc_buf, no vma [ 2410.637648][T11825] binder: 11817:11825 transaction failed 29189/-3, size 24-8 line 3147 17:26:59 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x9400, 0x0, 0xa0008000) [ 2410.711615][T12655] binder: release 11817:11820 transaction 1448 out, still active [ 2410.719397][T12655] binder: unexpected work type, 4, not freed [ 2410.815315][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2410.829453][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:26:59 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x0, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:26:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$EXT4_IOC_SETFLAGS(r0, 0x40086602, &(0x7f0000000040)=0x5) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) clock_getres(0x4, &(0x7f0000000000)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2410.865911][T12655] binder: send failed reply for transaction 1448, target dead [ 2411.033867][T11836] binder: 11835:11836 ioctl 40086602 20000040 returned -22 [ 2411.135649][T11836] binder_thread_write: 3 callbacks suppressed [ 2411.135665][T11836] binder: 11835:11836 Release 1 refcount change on invalid ref 0 ret -22 17:26:59 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KDSKBMETA(r0, 0x4b63, &(0x7f0000000100)=0x80000001) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(r0, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2411.225196][T11842] binder_alloc: binder_alloc_mmap_handler: 11835 20001000-20004000 already mapped failed -16 17:27:00 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) fchmod(r0, 0x2) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$KVM_SET_DEVICE_ATTR(r0, 0x4018aee1, &(0x7f0000000140)={0x0, 0x0, 0x7, &(0x7f0000000100)=0x8}) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2411.268780][T11836] binder: 11835:11836 ioctl 40086602 20000040 returned -22 17:27:00 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) r4 = socket$can_bcm(0x1d, 0x2, 0x2) setsockopt$packet_fanout(r0, 0x107, 0x12, &(0x7f0000000100)={0x5258e4c2, 0x6, 0x8000}, 0x4) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) getsockopt$inet_IP_IPSEC_POLICY(r2, 0x0, 0x10, &(0x7f0000000140)={{{@in=@empty, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6}, 0x0, @in6=@mcast2}}, &(0x7f0000000240)=0xe8) stat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) write$FUSE_ATTR(r1, &(0x7f0000000340)={0x78, 0xffffffffffffffda, 0x7, {0x2, 0x6, 0x0, {0x2, 0xfffffffffffffff8, 0xffffffffffff8748, 0x7, 0x8, 0x10001, 0x0, 0x36, 0x7, 0x5, 0x8, r5, r6, 0x5, 0x5}}}, 0x78) socket$unix(0x1, 0x1, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r7 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) fcntl$getown(r4, 0x9) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r8, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f00000003c0)=0x1, 0x4) [ 2411.332557][T11845] binder: BINDER_SET_CONTEXT_MGR already set 17:27:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x7, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2411.487120][T11845] binder: 11835:11845 ioctl 40046207 0 returned -16 [ 2411.487162][T11836] binder_alloc: 11835: binder_alloc_buf, no vma [ 2411.500303][T12655] binder: send failed reply for transaction 1453 to 11835:11836 [ 2411.507967][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2411.554213][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:27:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x7, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2411.634362][T11836] binder: 11835:11836 transaction failed 29189/-3, size 24-8 line 3147 17:27:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000100)='/dev/full\x00', 0x800c2, 0x0) epoll_ctl$EPOLL_CTL_MOD(r1, 0x3, r0, &(0x7f0000000140)={0x20000000}) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) r3 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000040)={0x0, 0x84, 0x1000, 0x4}, &(0x7f0000000080)=0x10) setsockopt$inet_sctp6_SCTP_RESET_ASSOC(r3, 0x84, 0x78, &(0x7f00000000c0)=r4, 0x4) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:27:00 executing program 4: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f0000000340)={{{@in=@remote, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast2}, 0x0, @in6=@empty}}, &(0x7f0000000440)=0xe8) r3 = getgid() fchown(r0, r2, r3) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r5 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$BLKROTATIONAL(r1, 0x127e, &(0x7f0000000100)) r6 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r7 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r6, r8, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) setsockopt$ARPT_SO_SET_ADD_COUNTERS(r5, 0x0, 0x61, &(0x7f0000000480)={'filter\x00', 0x4}, 0x68) r9 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000180)='IPVS\x00') sendmsg$IPVS_CMD_GET_CONFIG(r6, &(0x7f0000000300)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x40002000}, 0xc, &(0x7f00000002c0)={&(0x7f00000001c0)={0xec, r9, 0xa00, 0x70bd2c, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_DAEMON={0x48, 0x3, [@IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x2}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x3}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x4}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'bridge0\x00'}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x4}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x5}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0xa95}]}, @IPVS_CMD_ATTR_SERVICE={0xc, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8, 0xb, 'sip\x00'}]}, @IPVS_CMD_ATTR_DAEMON={0x38, 0x3, [@IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x3}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @remote}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0xfffffffffffffffd}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0xa83}]}, @IPVS_CMD_ATTR_DEST={0x4c, 0x2, [@IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x8}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x66b}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x5}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x2}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e20}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x800}]}]}, 0xec}, 0x1, 0x0, 0x0, 0x10}, 0x4) 17:27:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x7, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:27:00 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2411.926403][T11859] binder: 11858:11859 Release 1 refcount change on invalid ref 0 ret -22 [ 2412.016768][T11866] binder_alloc: binder_alloc_mmap_handler: 11858 20001000-20004000 already mapped failed -16 17:27:00 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) fchmod(r0, 0x2) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$KVM_SET_DEVICE_ATTR(r0, 0x4018aee1, &(0x7f0000000140)={0x0, 0x0, 0x7, &(0x7f0000000100)=0x8}) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:00 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2412.081031][T11869] binder: BINDER_SET_CONTEXT_MGR already set [ 2412.106407][T11869] binder: 11858:11869 ioctl 40046207 0 returned -16 [ 2412.132426][T11859] binder_alloc: 11858: binder_alloc_buf, no vma [ 2412.200548][T11866] binder: 11858:11866 Release 1 refcount change on invalid ref 0 ret -22 [ 2412.218794][T11859] binder: 11858:11859 transaction failed 29189/-3, size 24-8 line 3147 [ 2412.291540][T12655] binder: send failed reply for transaction 1458 to 11858:11859 [ 2412.328330][T12655] binder: undelivered TRANSACTION_COMPLETE 17:27:01 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) open_by_handle_at(r1, &(0x7f0000000000)={0x2b, 0x80000001, "33ad0cba1f78d5db920b884616f51f1af8198cb89cdf7bcf3b8f526fe3e7e65e3e2d53"}, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:27:01 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:01 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0x7, 0x45) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:01 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0x0, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2412.491742][T11882] binder: 11879:11882 Release 1 refcount change on invalid ref 0 ret -22 [ 2412.557397][T11885] binder_alloc: binder_alloc_mmap_handler: 11879 20001000-20004000 already mapped failed -16 [ 2412.629463][T11889] binder: BINDER_SET_CONTEXT_MGR already set [ 2412.655991][T11889] binder: 11879:11889 ioctl 40046207 0 returned -16 17:27:01 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2412.720549][T11885] binder: 11879:11885 Release 1 refcount change on invalid ref 0 ret -22 [ 2412.734260][T11882] binder_alloc: 11879: binder_alloc_buf, no vma [ 2412.771300][T11882] binder: 11879:11882 transaction failed 29189/-3, size 24-8 line 3147 [ 2412.780530][T12655] binder_release_work: 3 callbacks suppressed [ 2412.780538][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2412.818669][T12655] binder: send failed reply for transaction 1463 to 11879:11882 17:27:01 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20ncci\x00', 0x80141, 0x0) bind$inet(r2, &(0x7f0000000080)={0x2, 0x4e21, @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x10) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x400, 0x0) [ 2412.854726][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2412.868322][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:27:01 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(0x0, 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:01 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) stat(&(0x7f0000000300)='./file0\x00', &(0x7f0000000340)={0x0, 0x0, 0x0, 0x0, 0x0}) setfsuid(r3) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) getsockopt$IP_VS_SO_GET_DESTS(r2, 0x0, 0x484, &(0x7f00000001c0)=""/199, &(0x7f00000002c0)=0xc7) accept4$unix(r2, &(0x7f0000000100)=@abs, &(0x7f0000000180)=0x6e, 0x80800) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2412.974862][T11897] binder: 11896:11897 Release 1 refcount change on invalid ref 0 ret -22 17:27:01 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_mreqn(r2, 0x0, 0x24, &(0x7f0000000100)={@multicast2, @multicast2}, &(0x7f0000000140)=0xc) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0x0) 17:27:01 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) ioctl$void(r1, 0xc0045878) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2413.047745][T11898] binder_alloc: binder_alloc_mmap_handler: 11896 20001000-20004000 already mapped failed -16 [ 2413.143869][T11897] binder: BINDER_SET_CONTEXT_MGR already set [ 2413.216733][T11897] binder: 11896:11897 ioctl 40046207 0 returned -16 [ 2413.262245][T11908] binder_alloc: 11896: binder_alloc_buf, no vma [ 2413.317169][T11908] binder: 11896:11908 transaction failed 29189/-3, size 24-8 line 3147 17:27:02 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_mreqn(r2, 0x0, 0x24, &(0x7f0000000100)={@multicast2, @multicast2}, &(0x7f0000000140)=0xc) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0x0) [ 2413.368315][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2413.413852][T12655] binder: send failed reply for transaction 1468 to 11896:11897 17:27:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) fcntl$setflags(r0, 0x2, 0x0) r1 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vcs\x00', 0x0, 0x0) setsockopt$inet6_buf(r1, 0x29, 0x1c, &(0x7f00000004c0)="9e864849b7114081487bacc1f3996995dbe362f57c698ebbc90000ed6faddd96a38d0e80f29dd1841b899c04d0206bd4945997bb3d84ce16b1ae9ea20eac70633fa41c2ae59a8a9931b0972e47c6408980a9df55b700654b6743d419411cd73b02d81b0ec3769bb51b70acb8d79652028d112aadc0fc15c9c12a01d65fa6ba30c8c8a01f88844d7877c9cec066a46cc4df0e4f3ee32710d690ecb939554f02d6017252b21699d5538cb77619bc57f6a16924eb25e8baee7324bd3fa980d65e17e2500c2a02e60a1464ad8c350844f1ec8c009c7ad4b863949fe5849e0531f0", 0xdf) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) r3 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000100)='/proc/self/net/pfkey\x00', 0x0, 0x0) getsockopt$TIPC_SOCK_RECVQ_DEPTH(r3, 0x10f, 0x84, &(0x7f0000000140), &(0x7f0000000180)=0x4) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) r4 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/qat_adf_ctl\x00', 0x400, 0x0) write$P9_RREADDIR(r4, &(0x7f0000000040)={0xa0, 0x29, 0x1, {0x1, [{{0x1, 0x4}, 0x9, 0x6d7, 0x7, './file0'}, {{0x20, 0x1, 0x3}, 0x6, 0x5, 0x7, './file0'}, {{0x0, 0x3, 0x3}, 0x0, 0x7, 0x7, './file0'}, {{0x50, 0x2, 0x8}, 0x8, 0x40, 0x7, './file0'}, {{0x8, 0x3, 0x4}, 0x7d7d, 0x1, 0x1, '.'}]}}, 0xa0) [ 2413.455205][T12655] binder: undelivered TRANSACTION_COMPLETE [ 2413.477424][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2413.528686][T11916] binder: 11915:11916 got transaction with invalid offset (0, min 0 max 24) or object. [ 2413.552776][T11916] binder: 11915:11916 transaction failed 29201/-22, size 24-8 line 3241 [ 2413.563106][T11916] binder: 11915:11916 Release 1 refcount change on invalid ref 0 ret -22 17:27:02 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) ioctl$void(r1, 0xc0045878) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:02 executing program 0: perf_event_open(&(0x7f0000000880)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) setsockopt$inet_dccp_int(r0, 0x21, 0x4, &(0x7f0000000040)=0x5, 0x4) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f0000000140)={{{@in6=@ipv4={[], [], @initdev}, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@empty}, 0x0, @in=@broadcast}}, &(0x7f0000000240)=0xe8) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000280)={0x0, 0x0}, &(0x7f00000002c0)=0xc) r6 = getuid() getsockopt$inet6_IPV6_IPSEC_POLICY(r0, 0x29, 0x22, &(0x7f0000000300)={{{@in, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@empty}, 0x0, @in=@initdev}}, &(0x7f0000000400)=0xe8) lstat(&(0x7f0000000440)='./file0\x00', &(0x7f0000000480)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000000500), &(0x7f0000000540), &(0x7f0000000580)=0x0) r10 = getgid() getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f00000005c0)={0x0, 0x0, 0x0}, &(0x7f0000000600)=0xc) fstat(r0, &(0x7f0000000640)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f00000006c0)={0x0, 0x0, 0x0}, &(0x7f0000000700)=0xc) getgroups(0x3, &(0x7f0000000740)=[0xee01, 0xee00, 0xee00]) fsetxattr$system_posix_acl(r0, &(0x7f0000000100)='system.posix_acl_access\x00', &(0x7f0000000780)={{}, {0x1, 0x1}, [{0x2, 0x2, r4}, {0x2, 0xbf08d889f31d3ecb, r5}, {0x2, 0x7, r6}, {0x2, 0x4, r7}], {0x4, 0x2}, [{0x8, 0x6, r8}, {0x8, 0x1, r9}, {0x8, 0x2, r10}, {0x8, 0x2, r11}, {0x8, 0x4, r12}, {0x8, 0x4, r13}, {0x8, 0x0, r14}], {0x10, 0x7}, {0x20, 0x7}}, 0x7c, 0x1) ioctl$TCGETS(r3, 0x5401, &(0x7f0000000840)) r15 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r16 = ioctl$KVM_CREATE_VCPU(r15, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r16, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:02 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_mreqn(r2, 0x0, 0x24, &(0x7f0000000100)={@multicast2, @multicast2}, &(0x7f0000000140)=0xc) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0x0) [ 2413.620671][T11919] binder_alloc: binder_alloc_mmap_handler: 11915 20001000-20004000 already mapped failed -16 [ 2413.623455][T11920] binder: BINDER_SET_CONTEXT_MGR already set 17:27:02 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0x0, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:02 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2413.688987][T11920] binder: 11915:11920 ioctl 40046207 0 returned -16 [ 2413.791293][T11916] binder_alloc: 11915: binder_alloc_buf, no vma [ 2413.824876][T11920] binder: 11915:11920 Release 1 refcount change on invalid ref 0 ret -22 [ 2413.940894][T11916] binder: 11915:11916 transaction failed 29189/-3, size 24-8 line 3147 17:27:02 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8009, 0x500180de7f0000, 0x0, 0x0) [ 2414.012512][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 [ 2414.021374][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:27:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = accept4$tipc(0xffffffffffffff9c, &(0x7f00000001c0)=@name, &(0x7f0000000240)=0x10, 0x80000) r3 = syz_open_dev$media(&(0x7f00000003c0)='/dev/media#\x00', 0x1ff, 0x10000) setsockopt$netlink_NETLINK_ADD_MEMBERSHIP(r3, 0x10e, 0x1, &(0x7f0000000480)=0x8, 0x4) getpeername(r2, &(0x7f0000000000)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @mcast2}}}, &(0x7f0000000080)=0x80) ioctl$KDDISABIO(r1, 0x4b37) connect$pptp(r4, &(0x7f00000000c0)={0x18, 0x2, {0x0, @broadcast}}, 0x1e) ioctl$sock_rose_SIOCRSCLRRT(r3, 0x89e4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x3e, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000007510dc5beed31856000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f00000004c0)=ANY=[@ANYBLOB="21101227080014455de3a4c0b13d4960ac175710e0c11758f827e5822bdda810ee4c3e81983fac7f83b4efa91bb0b87ee84d0e10b0ff957442916e515c8652ec620cf4245ae73b2e63e887f1a08da2ea9d12eceacd4c5385de06181b11b1b6423e38fec5599df392006c47954acd3d366b3b1e538cd184dfe6a83cc3781f81df250f4e66a304d8f1c26d1e31a9ba01ddf66072ee04b2c6e14bb872ecb7a73489f4dc35745bdd81148afe335c4e841a4699a9e5bf1681345813492956c46347f94977a79f36b98dea9424db7e347431c72fa6bbd6eacad7128ab7ea281229fb1135693cbf9a554e8a4459a2f0bb7bb93697", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYRES16=r1], 0x0, 0x0, 0x0}) ioctl$EXT4_IOC_GROUP_ADD(r0, 0x40286608, &(0x7f0000000340)={0x1ff, 0x20, 0x80000001, 0x1f, 0x9, 0x7fd}) signalfd(r4, &(0x7f0000000180)={0x8001}, 0x8) munmap(&(0x7f0000000000/0x11000)=nil, 0x11000) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="06430440e20d530c0df74158d955a6bf821007f49863bae390b406edd5592d7f132f05ae33e24fa4f2d4f5fec0115d7b65655ed03be6e4039e83a6b4661ac307321c69aca9ad26"], 0x0, 0x0, 0x0}) openat$cuse(0xffffffffffffff9c, &(0x7f0000000280)='/dev/cuse\x00', 0x2, 0x0) 17:27:03 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:03 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000100)={0x0}, &(0x7f0000000140)=0xc) sched_setparam(r1, &(0x7f0000000240)=0x3) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r3 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) openat$cgroup_ro(r3, &(0x7f00000001c0)='cpuset.effective_mems\x00', 0x0, 0x0) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2414.290844][T11942] binder: 11941:11942 ioctl 4b37 0 returned -22 17:27:03 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0x0, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2414.374098][T11942] binder: 11941:11942 got transaction with invalid offsets ptr [ 2414.410045][T11942] binder: 11941:11942 transaction failed 29201/-14, size 24-8 line 3193 [ 2414.469343][T11951] binder: 11941:11951 ioctl 40286608 20000340 returned -22 [ 2414.533206][T11942] binder: 11941:11942 ioctl c0306201 20000380 returned -14 17:27:03 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f0000000180)={0x0, @in6={{0xa, 0x4e21, 0x20, @loopback, 0x3}}, [0x4b, 0x665800000000, 0xfd, 0x0, 0x8, 0x8, 0x2, 0x800, 0xfffffffffffffffe, 0x9, 0x6, 0x401, 0x7b, 0xfffffffffffffffa, 0x3]}, &(0x7f0000000280)=0x100) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f00000002c0)={r1, @in6={{0xa, 0x4e20, 0x3f, @loopback, 0x10000}}, 0x9, 0x3, 0x81, 0x7, 0xa}, 0x98) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) utimensat(r0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={{0x77359400}, {0x77359400}}, 0x100) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:03 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x2, 0x0, 0xa0008000) [ 2414.643291][T11951] binder_alloc: binder_alloc_mmap_handler: 11941 20001000-20004000 already mapped failed -16 17:27:03 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2414.728950][T11956] binder: BINDER_SET_CONTEXT_MGR already set [ 2414.780363][T11956] binder: 11941:11956 ioctl 40046207 0 returned -16 [ 2414.805703][T11951] binder: 11941:11951 ioctl 4b37 0 returned -22 [ 2414.903330][T11942] binder: 11941:11942 ioctl c0306201 200002c0 returned -14 [ 2414.939304][T11951] binder: 11941:11951 ioctl 40286608 20000340 returned -22 17:27:03 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000001100)={0x0, @in6={{0xa, 0x4e22, 0xffffffff, @empty, 0x1}}, 0x100000000, 0x2d7, 0x2, 0x80000000, 0x6}, &(0x7f00000011c0)=0x98) getsockopt$inet_sctp6_SCTP_PR_SUPPORTED(r0, 0x84, 0x71, &(0x7f0000001200)={r5, 0x40}, &(0x7f0000001240)=0x8) r6 = semget(0x0, 0x7, 0x5a0) semctl$IPC_STAT(r6, 0x0, 0x2, &(0x7f0000000100)=""/4096) [ 2414.988134][T11942] binder: 11941:11942 ioctl c0306201 20000380 returned -14 17:27:03 executing program 1 (fault-call:2 fault-nth:0): pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:27:03 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2415.067398][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 17:27:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) fsetxattr$security_ima(r1, &(0x7f0000000000)='security.ima\x00', &(0x7f0000000040)=@ng={0x4, 0x12, "02ebcb3a804f4f1c3ff8483167df7c86"}, 0x12, 0x1) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2415.186812][T11971] FAULT_INJECTION: forcing a failure. [ 2415.186812][T11971] name failslab, interval 1, probability 0, space 0, times 0 [ 2415.298197][T11971] CPU: 1 PID: 11971 Comm: syz-executor.1 Not tainted 5.1.0-rc2+ #39 [ 2415.306217][T11971] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 2415.316289][T11971] Call Trace: [ 2415.319610][T11971] dump_stack+0x172/0x1f0 [ 2415.323963][T11971] should_fail.cold+0xa/0x15 [ 2415.328575][T11971] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 2415.334405][T11971] ? ___might_sleep+0x163/0x280 [ 2415.339274][T11971] __should_failslab+0x121/0x190 [ 2415.344235][T11971] should_failslab+0x9/0x14 [ 2415.348753][T11971] __kmalloc_track_caller+0x2d8/0x740 [ 2415.354136][T11971] ? lock_downgrade+0x880/0x880 [ 2415.359010][T11971] ? tomoyo_domain+0xc5/0x160 [ 2415.363776][T11971] ? snd_pcm_common_ioctl+0xd6c/0x1bf0 [ 2415.369256][T11971] memdup_user+0x26/0xb0 [ 2415.373513][T11971] snd_pcm_common_ioctl+0xd6c/0x1bf0 [ 2415.378810][T11971] ? snd_pcm_status_user+0x190/0x190 [ 2415.384113][T11971] ? __fget+0x35a/0x550 [ 2415.388291][T11971] snd_pcm_ioctl+0x85/0xc0 [ 2415.392725][T11971] ? snd_pcm_common_ioctl+0x1bf0/0x1bf0 [ 2415.398289][T11971] do_vfs_ioctl+0xd6e/0x1390 [ 2415.402894][T11971] ? ioctl_preallocate+0x210/0x210 [ 2415.408021][T11971] ? __fget+0x381/0x550 [ 2415.412205][T11971] ? ksys_dup3+0x3e0/0x3e0 [ 2415.416631][T11971] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 2415.422881][T11971] ? fput_many+0x12c/0x1a0 [ 2415.427318][T11971] ? tomoyo_file_ioctl+0x23/0x30 [ 2415.432269][T11971] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 2415.438529][T11971] ? security_file_ioctl+0x93/0xc0 [ 2415.443665][T11971] ksys_ioctl+0xab/0xd0 [ 2415.447838][T11971] __x64_sys_ioctl+0x73/0xb0 [ 2415.452441][T11971] do_syscall_64+0x103/0x610 [ 2415.457075][T11971] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 2415.462977][T11971] RIP: 0033:0x458209 [ 2415.466880][T11971] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 2415.486497][T11971] RSP: 002b:00007f4a7e138c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 17:27:04 executing program 2 (fault-call:12 fault-nth:0): r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:27:04 executing program 3 (fault-call:12 fault-nth:0): perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2415.494936][T11971] RAX: ffffffffffffffda RBX: 00007f4a7e138c90 RCX: 0000000000458209 [ 2415.502932][T11971] RDX: 0000000020000000 RSI: 00002000c2604110 RDI: 0000000000000003 [ 2415.510913][T11971] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 2415.510923][T11971] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4a7e1396d4 [ 2415.510931][T11971] R13: 00000000004bf379 R14: 00000000004d0d48 R15: 0000000000000004 [ 2415.543458][T11978] device sit0 left promiscuous mode 17:27:04 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) semget$private(0x0, 0x3, 0x10) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2415.611977][T11981] binder: 11980:11981 Release 1 refcount change on invalid ref 0 ret -22 [ 2415.700275][T11986] binder: BINDER_SET_CONTEXT_MGR already set [ 2415.706310][T11986] binder: 11980:11986 ioctl 40046207 0 returned -16 [ 2415.739985][T11985] binder_alloc: binder_alloc_mmap_handler: 11980 20001000-20004000 already mapped failed -16 [ 2415.766745][T11984] FAULT_INJECTION: forcing a failure. [ 2415.766745][T11984] name fail_page_alloc, interval 1, probability 0, space 0, times 0 17:27:04 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2415.835281][T11981] binder_alloc: 11980: binder_alloc_buf, no vma [ 2415.849773][T11990] binder: 11980:11990 Release 1 refcount change on invalid ref 0 ret -22 [ 2415.921403][T11984] CPU: 1 PID: 11984 Comm: syz-executor.3 Not tainted 5.1.0-rc2+ #39 [ 2415.929424][T11984] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 2415.939493][T11984] Call Trace: [ 2415.942805][T11984] dump_stack+0x172/0x1f0 [ 2415.947152][T11984] should_fail.cold+0xa/0x15 [ 2415.951762][T11984] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 2415.957590][T11984] ? ___might_sleep+0x163/0x280 [ 2415.962469][T11984] should_fail_alloc_page+0x50/0x60 [ 2415.967674][T11984] __alloc_pages_nodemask+0x1a1/0x7e0 [ 2415.973061][T11984] ? __alloc_pages_slowpath+0x28b0/0x28b0 [ 2415.978793][T11984] ? pmd_val+0x85/0x100 [ 2415.982954][T11984] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 2415.989191][T11984] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 2415.995450][T11984] alloc_pages_vma+0xdd/0x540 [ 2416.000139][T11984] __handle_mm_fault+0x1dd4/0x3ec0 [ 2416.005259][T11984] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 2416.010807][T11984] ? find_held_lock+0x35/0x130 [ 2416.015576][T11984] ? handle_mm_fault+0x322/0xb30 [ 2416.020527][T11984] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 2416.026777][T11984] ? kasan_check_read+0x11/0x20 [ 2416.031637][T11984] handle_mm_fault+0x43f/0xb30 [ 2416.036412][T11984] __do_page_fault+0x5ef/0xda0 [ 2416.041196][T11984] do_page_fault+0x71/0x581 [ 2416.045701][T11984] ? page_fault+0x8/0x30 [ 2416.049947][T11984] page_fault+0x1e/0x30 [ 2416.054099][T11984] RIP: 0033:0x406d5d [ 2416.057997][T11984] Code: 0f 1f 44 00 00 c6 44 24 0e 06 48 c7 04 24 10 00 00 00 e9 56 ff ff ff e8 81 50 05 00 90 41 55 41 54 55 53 48 81 ec d8 1b 00 00 <48> 89 bc 24 08 01 00 00 48 89 b4 24 00 01 00 00 48 89 94 24 f8 00 [ 2416.077612][T11984] RSP: 002b:00007fde80032070 EFLAGS: 00010202 [ 2416.083682][T11984] RAX: 0000000000406d50 RBX: 00007fde80033c90 RCX: 0000000000000000 [ 2416.091653][T11984] RDX: 0000000020fe8000 RSI: ffffffffffffffff RDI: ffffffffffffffff [ 2416.099626][T11984] RBP: 000000000073bfa0 R08: 00705000ffff8000 R09: 0000000000000000 [ 2416.107602][T11984] R10: 0000000000000064 R11: 0000000000000000 R12: 00007fde800346d4 17:27:04 executing program 1 (fault-call:2 fault-nth:1): pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2416.115581][T11984] R13: 00000000004c69bb R14: 00000000004dbf98 R15: 0000000000000006 [ 2416.125156][T11981] binder: 11980:11981 transaction failed 29189/-3, size 24-8 line 3147 [ 2416.135542][ T2678] binder: send failed reply for transaction 1478 to 11980:11981 [ 2416.145548][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 [ 2416.166503][ T2678] binder: undelivered TRANSACTION_COMPLETE 17:27:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x140, 0x0) getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, &(0x7f0000000040)={0x0, 0x44, 0x30, 0x40, 0x40}, &(0x7f0000000080)=0x18) setsockopt$inet_sctp6_SCTP_RTOINFO(r2, 0x84, 0x0, &(0x7f00000000c0)={r3, 0x2, 0x7, 0x5}, 0x10) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2416.178468][T11993] device sit0 entered promiscuous mode [ 2416.187589][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:27:05 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r2 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2416.270965][T11996] binder: 11995:11996 Release 1 refcount change on invalid ref 0 ret -22 [ 2416.354289][T11999] binder_alloc: binder_alloc_mmap_handler: 11995 20001000-20004000 already mapped failed -16 [ 2416.389295][T11996] binder: BINDER_SET_CONTEXT_MGR already set [ 2416.414264][T11984] syz-executor.3 invoked oom-killer: gfp_mask=0x0(), order=0, oom_score_adj=1000 [ 2416.459665][T11984] CPU: 0 PID: 11984 Comm: syz-executor.3 Not tainted 5.1.0-rc2+ #39 [ 2416.467674][T11984] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 2416.477737][T11984] Call Trace: [ 2416.481051][T11984] dump_stack+0x172/0x1f0 [ 2416.485412][T11984] dump_header+0x10f/0xb6c [ 2416.489836][T11984] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 2416.491712][T11996] binder: 11995:11996 ioctl 40046207 0 returned -16 [ 2416.495648][T11984] ? ___ratelimit+0x60/0x595 [ 2416.495665][T11984] ? do_raw_spin_unlock+0x57/0x270 [ 2416.495687][T11984] oom_kill_process.cold+0x10/0x15 [ 2416.506409][T11999] binder_alloc: 11995: binder_alloc_buf, no vma [ 2416.506856][T11984] out_of_memory+0x79a/0x1280 [ 2416.518827][T12000] binder: 11995:12000 Release 1 refcount change on invalid ref 0 ret -22 [ 2416.523289][T11984] ? lock_acquire+0x16f/0x3f0 [ 2416.523305][T11984] ? pagefault_out_of_memory+0xeb/0x11c [ 2416.523324][T11984] ? oom_killer_disable+0x280/0x280 [ 2416.523345][T11984] ? mutex_trylock+0x18e/0x1e0 [ 2416.523367][T11984] ? pagefault_out_of_memory+0xeb/0x11c [ 2416.543166][ T2678] binder: release 11995:11996 transaction 1483 out, still active [ 2416.546651][T11984] pagefault_out_of_memory+0x109/0x11c [ 2416.546667][T11984] ? out_of_memory+0x1280/0x1280 [ 2416.546690][T11984] ? lock_downgrade+0x880/0x880 [ 2416.552681][T11999] binder: 11995:11999 transaction failed 29189/-3, size 24-8 line 3147 [ 2416.556643][T11984] mm_fault_error+0x100/0x3a0 [ 2416.556675][T11984] __do_page_fault+0xc3a/0xda0 [ 2416.562246][ T2678] binder: unexpected work type, 4, not freed [ 2416.569928][T11984] do_page_fault+0x71/0x581 [ 2416.569951][T11984] ? page_fault+0x8/0x30 [ 2416.595732][ T2678] binder: undelivered TRANSACTION_COMPLETE [ 2416.598048][T11984] page_fault+0x1e/0x30 [ 2416.598069][T11984] RIP: 0033:0x406d5d [ 2416.598090][T11984] Code: 0f 1f 44 00 00 c6 44 24 0e 06 48 c7 04 24 10 00 00 00 e9 56 ff ff ff e8 81 50 05 00 90 41 55 41 54 55 53 48 81 ec d8 1b 00 00 <48> 89 bc 24 08 01 00 00 48 89 b4 24 00 01 00 00 48 89 94 24 f8 00 [ 2416.618423][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:27:05 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x2, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:27:05 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2416.623306][T11984] RSP: 002b:00007fde80032070 EFLAGS: 00010202 [ 2416.623320][T11984] RAX: 0000000000406d50 RBX: 00007fde80033c90 RCX: 0000000000000000 [ 2416.623330][T11984] RDX: 0000000020fe8000 RSI: ffffffffffffffff RDI: ffffffffffffffff [ 2416.623340][T11984] RBP: 000000000073bfa0 R08: 00705000ffff8000 R09: 0000000000000000 [ 2416.623349][T11984] R10: 0000000000000064 R11: 0000000000000000 R12: 00007fde800346d4 [ 2416.623357][T11984] R13: 00000000004c69bb R14: 00000000004dbf98 R15: 0000000000000006 17:27:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = syz_open_procfs(0x0, &(0x7f0000000000)='net/dev\x00') setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r2, 0x84, 0x16, &(0x7f0000000100)={0x2, [0x40, 0xfffffffffffffff7]}, 0x8) ioctl$SNDRV_SEQ_IOCTL_DELETE_PORT(r2, 0x40a85321, &(0x7f0000000040)={{0xc9b2, 0xffff}, 'port0\x00', 0x0, 0x6, 0x6, 0x0, 0x6, 0xffffffffffffffff, 0x401, 0x0, 0x1, 0x2}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) [ 2416.764562][T11984] Mem-Info: [ 2416.778632][T11984] active_anon:157081 inactive_anon:205 isolated_anon:0 [ 2416.778632][T11984] active_file:12487 inactive_file:46524 isolated_file:0 [ 2416.778632][T11984] unevictable:1 dirty:0 writeback:15 unstable:0 [ 2416.778632][T11984] slab_reclaimable:22797 slab_unreclaimable:106551 [ 2416.778632][T11984] mapped:58837 shmem:254 pagetables:1757 bounce:0 [ 2416.778632][T11984] free:1183040 free_pcp:455 free_cma:0 [ 2416.811238][T12010] FAULT_INJECTION: forcing a failure. [ 2416.811238][T12010] name failslab, interval 1, probability 0, space 0, times 0 [ 2416.830470][T12008] binder: BINDER_SET_CONTEXT_MGR already set [ 2416.852547][T12008] binder: 12007:12008 ioctl 40046207 0 returned -16 [ 2416.869027][T12010] CPU: 1 PID: 12010 Comm: syz-executor.1 Not tainted 5.1.0-rc2+ #39 [ 2416.877022][T12010] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 2416.881376][T12012] binder_alloc: 11995: binder_alloc_buf, no vma [ 2416.887098][T12010] Call Trace: [ 2416.887124][T12010] dump_stack+0x172/0x1f0 [ 2416.887147][T12010] should_fail.cold+0xa/0x15 [ 2416.887167][T12010] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 2416.887189][T12010] ? ___might_sleep+0x163/0x280 [ 2416.916227][T12010] __should_failslab+0x121/0x190 [ 2416.921166][T12010] should_failslab+0x9/0x14 [ 2416.925670][T12010] __kmalloc+0x2dc/0x740 [ 2416.929918][T12010] ? constrain_params_by_rules+0x118/0x1180 [ 2416.935812][T12010] constrain_params_by_rules+0x118/0x1180 [ 2416.941528][T12010] ? save_stack+0xa9/0xd0 [ 2416.945864][T12010] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 2416.951666][T12010] ? kasan_kmalloc+0x9/0x10 [ 2416.956165][T12010] ? __kmalloc_track_caller+0x158/0x740 [ 2416.961708][T12010] ? memdup_user+0x26/0xb0 [ 2416.966122][T12010] ? snd_pcm_ioctl+0x85/0xc0 [ 2416.970714][T12010] ? __x64_sys_ioctl+0x73/0xb0 [ 2416.975473][T12010] ? do_syscall_64+0x103/0x610 [ 2416.980242][T12010] ? snd_pcm_mmap_status_fault+0x240/0x240 [ 2416.986051][T12010] ? __lock_acquire+0x548/0x3fb0 [ 2416.990994][T12010] ? __lock_acquire+0x548/0x3fb0 [ 2416.995946][T12010] ? __might_fault+0x12b/0x1e0 [ 2417.000715][T12010] snd_pcm_hw_refine+0xbf9/0xf20 [ 2417.005660][T12010] ? constrain_params_by_rules+0x1180/0x1180 [ 2417.011653][T12010] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 2417.017894][T12010] ? _copy_from_user+0xdd/0x150 [ 2417.029352][T12010] snd_pcm_common_ioctl+0xd9b/0x1bf0 [ 2417.034732][T12010] ? snd_pcm_status_user+0x190/0x190 [ 2417.040024][T12010] ? __fget+0x35a/0x550 [ 2417.044193][T12010] snd_pcm_ioctl+0x85/0xc0 [ 2417.048607][T12010] ? snd_pcm_common_ioctl+0x1bf0/0x1bf0 [ 2417.054156][T12010] do_vfs_ioctl+0xd6e/0x1390 [ 2417.058748][T12010] ? ioctl_preallocate+0x210/0x210 [ 2417.064392][T12010] ? __fget+0x381/0x550 [ 2417.068561][T12010] ? ksys_dup3+0x3e0/0x3e0 [ 2417.072980][T12010] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 2417.079222][T12010] ? fput_many+0x12c/0x1a0 [ 2417.083643][T12010] ? tomoyo_file_ioctl+0x23/0x30 [ 2417.088582][T12010] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 2417.094821][T12010] ? security_file_ioctl+0x93/0xc0 [ 2417.099934][T12010] ksys_ioctl+0xab/0xd0 [ 2417.104100][T12010] __x64_sys_ioctl+0x73/0xb0 [ 2417.108688][T12010] do_syscall_64+0x103/0x610 [ 2417.113281][T12010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 2417.119166][T12010] RIP: 0033:0x458209 [ 2417.123063][T12010] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 2417.142667][T12010] RSP: 002b:00007f4a7e138c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 2417.151082][T12010] RAX: ffffffffffffffda RBX: 00007f4a7e138c90 RCX: 0000000000458209 [ 2417.159070][T12010] RDX: 0000000020000000 RSI: 00002000c2604110 RDI: 0000000000000003 [ 2417.167057][T12010] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 2417.176009][T12010] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4a7e1396d4 [ 2417.184009][T12010] R13: 00000000004bf379 R14: 00000000004d0d48 R15: 0000000000000004 [ 2417.202342][T12008] binder: 12007:12008 Release 1 refcount change on invalid ref 0 ret -22 [ 2417.205555][T12012] binder: 12007:12012 transaction failed 29189/-3, size 24-8 line 3147 [ 2417.219231][T11984] Node 0 active_anon:630488kB inactive_anon:820kB active_file:49812kB inactive_file:186096kB unevictable:4kB isolated(anon):0kB isolated(file):0kB mapped:235348kB dirty:0kB writeback:60kB shmem:1016kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 176128kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no 17:27:06 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x2001, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x2, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) fcntl$F_SET_RW_HINT(r3, 0x40c, &(0x7f0000000140)=0x7) ioctl$TCGETS(r3, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r0, 0x84, 0x22, &(0x7f0000000180)={0x8, 0xd, 0x100000000, 0x8, 0x0}, &(0x7f00000001c0)=0x10) ioctl$FICLONE(r2, 0x40049409, r4) getsockopt$inet_sctp_SCTP_RTOINFO(r3, 0x84, 0x0, &(0x7f0000000200)={r5, 0x4, 0x1, 0x6}, &(0x7f0000000240)=0x10) r6 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) ioctl$DRM_IOCTL_GET_MAP(r0, 0xc0286404, &(0x7f0000000100)={0x0, 0x30ad, 0x3, 0x80, &(0x7f0000bc4000/0x3000)=nil, 0x3}) ioctl$VIDIOC_SUBDEV_G_DV_TIMINGS(r0, 0xc0845658, &(0x7f0000000280)={0x0, @bt={0x3, 0x2, 0x0, 0x2, 0x9, 0xf1eb, 0x7fff, 0x7f, 0xfffffffffffffff9, 0x0, 0x8, 0x6, 0x10000, 0x7ff, 0x4, 0x1b}}) [ 2417.273105][T12012] binder_alloc: binder_alloc_mmap_handler: 12007 20001000-20004000 already mapped failed -16 [ 2417.301271][ T2678] binder: send failed reply for transaction 1483, target dead [ 2417.312382][T12009] device sit0 left promiscuous mode [ 2417.333480][T11984] Node 1 active_anon:0kB inactive_anon:0kB active_file:136kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:0kB dirty:0kB writeback:0kB shmem:0kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 0kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no 17:27:06 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x5421, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2417.384400][T11984] Node 0 DMA free:13860kB min:220kB low:272kB high:324kB active_anon:2048kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB [ 2417.416253][T11984] lowmem_reserve[]: 0 2553 2555 2555 [ 2417.425132][T11984] Node 0 DMA32 free:934836kB min:40328kB low:49384kB high:58440kB active_anon:626508kB inactive_anon:820kB active_file:49808kB inactive_file:186088kB unevictable:4kB writepending:92kB present:3129332kB managed:2617996kB mlocked:0kB kernel_stack:8352kB pagetables:6984kB bounce:0kB free_pcp:2140kB local_pcp:1132kB free_cma:0kB [ 2417.457690][T12021] binder_alloc: 12007: binder_alloc_buf, no vma [ 2417.468866][T12021] binder: 12007:12021 transaction failed 29189/-3, size 24-8 line 3147 [ 2417.488388][T12022] binder: 12007:12022 Release 1 refcount change on invalid ref 0 ret -22 [ 2417.497478][T11984] lowmem_reserve[]: 0 0 2 2 [ 2417.509365][T11984] Node 0 Normal free:8kB min:28kB low:32kB high:36kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:786432kB managed:2204kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB 17:27:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x4, 0x8010, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$FS_IOC_GET_ENCRYPTION_POLICY(r1, 0x400c6615, &(0x7f0000000140)) r2 = syz_open_dev$dmmidi(&(0x7f0000000180)='/dev/dmmidi#\x00', 0x6, 0x101140) arch_prctl$ARCH_SET_GS(0x1001, 0xe779) ioctl$KVM_SET_PIT(r2, 0x8048ae66, &(0x7f0000000280)={[{0xc5c, 0x9, 0x0, 0x10001, 0x1000, 0x9, 0xff, 0xa0, 0x8, 0x8, 0x5, 0x6, 0x3}, {0x6, 0x4, 0x0, 0x800000000, 0xfffffffffffffff9, 0x4dc4, 0x80, 0x7, 0xd0f, 0xffffffffffffffff, 0xfffffffffffffff9, 0x9, 0x1}, {0x32a3, 0x0, 0x2, 0x0, 0xfffffffffffeffff, 0x8, 0x3, 0x3f, 0x4, 0x81, 0x8, 0x7, 0x2d2}], 0xb528}) pipe(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$VIDIOC_SUBDEV_S_DV_TIMINGS(r3, 0xc0845657, &(0x7f0000000040)={0x0, @reserved}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000380)={0xfffffffffffffee5, 0x0, &(0x7f0000000100)=ANY=[@ANYRES16=r3], 0xfffffffffffffdcc, 0x0, 0x0}) [ 2417.624580][T12028] binder_alloc: 12027: binder_alloc_buf, no vma [ 2417.633472][T12028] binder: 12027:12028 transaction failed 29189/-3, size 24-8 line 3147 [ 2417.646515][T11984] lowmem_reserve[]: 0 0 0 0 [ 2417.654519][T12028] binder: 12027:12028 ioctl 400c6615 20000140 returned -22 [ 2417.666273][T11984] Node 1 Normal free:3783380kB min:53624kB low:67028kB high:80432kB active_anon:0kB inactive_anon:0kB active_file:136kB inactive_file:0kB unevictable:0kB writepending:0kB present:3932160kB managed:3870184kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB [ 2417.702688][T11984] lowmem_reserve[]: 0 0 0 0 [ 2417.707496][T11984] Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 0*2048kB 3*4096kB (UM) = 13860kB [ 2417.723054][T12029] binder: BINDER_SET_CONTEXT_MGR already set [ 2417.729102][T12029] binder: 12027:12029 ioctl 40046207 0 returned -16 [ 2417.730300][T11984] Node 0 DMA32: 2709*4kB (UME) 202*8kB (UME) 1111*16kB (UME) 2313*32kB (UME) 2301*64kB (UME) 772*128kB (UM) 504*256kB (UM) 400*512kB (UM) 238*1024kB (UME) 1*2048kB (M) 1*4096kB (M) = 934004kB [ 2417.754686][T12030] binder_alloc: 12027: binder_alloc_buf, no vma [ 2417.754727][T12030] binder: 12027:12030 transaction failed 29189/-3, size 24-8 line 3147 [ 2417.769551][T12028] binder: 12027:12028 ioctl 400c6615 20000140 returned -22 [ 2417.811058][T12655] binder_release_work: 2 callbacks suppressed [ 2417.811074][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2417.840884][T12655] binder: undelivered TRANSACTION_ERROR: 29189 [ 2417.870347][T11984] Node 0 Normal: 0*4kB 1*8kB (U) 0*16kB 0*32kB 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 8kB [ 2417.890180][T11984] Node 1 Normal: 63*4kB (UME) 241*8kB (U) 241*16kB (UE) 60*32kB (UME) 15*64kB (UM) 12*128kB (UE) 6*256kB (UM) 4*512kB (UM) 3*1024kB (ME) 1*2048kB (U) 919*4096kB (M) = 3783380kB [ 2417.946023][T11984] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=1048576kB [ 2417.976143][T11984] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB [ 2418.006516][T11984] Node 1 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=1048576kB [ 2418.033074][T11984] Node 1 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB [ 2418.070090][T11984] 59264 total pagecache pages [ 2418.074825][T11984] 0 pages in swap cache [ 2418.079684][T11984] Swap cache stats: add 0, delete 0, find 0/0 [ 2418.087128][T11984] Free swap = 0kB [ 2418.091221][T11984] Total swap = 0kB [ 2418.094950][T11984] 1965979 pages RAM [ 2418.098757][T11984] 0 pages HighMem/MovableOnly [ 2418.103847][T11984] 339406 pages reserved [ 2418.108009][T11984] 0 pages cma reserved 17:27:06 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x5450, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:27:06 executing program 0: r0 = perf_event_open(&(0x7f000001d000)={0x3, 0x70, 0xd1b, 0x0, 0x0, 0x0, 0x0, 0xb93, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) prctl$PR_SET_MM_MAP_SIZE(0x23, 0xf, &(0x7f0000000140)) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) openat$rtc(0xffffffffffffff9c, &(0x7f0000000100)='/dev/rtc0\x00', 0x40002, 0x0) fstat(r0, &(0x7f0000000300)={0x0, 0x0, 0x0, 0x0, 0x0}) syz_mount_image$vfat(&(0x7f00000001c0)='vfat\x00', &(0x7f0000000200)='./file0\x00', 0x1f39, 0x1, &(0x7f00000002c0)=[{&(0x7f0000000240)="400704492160c9b5a792bacfdbff85df81991463f3ce5f8b8f57cbe4621a1040953dd0580b43e9c29dfd6d54e360ea89549dbc486e4888fcbe367aa00ec77568ee90af29e2", 0x45, 0x3}], 0x40, &(0x7f0000000380)={[{@nonumtail='nnonumtail=1'}, {@shortname_winnt='shortname=winnt'}, {@utf8='utf8=1'}, {@utf8='utf8=1'}, {@utf8='utf8=1'}, {@shortname_winnt='shortname=winnt'}], [{@obj_role={'obj_role', 0x3d, 'ppp0'}}, {@uid_lt={'uid<', r3}}]}) r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) socket$inet_sctp(0x2, 0x5, 0x84) bind$inet(r1, &(0x7f0000000180)={0x2, 0x4e20, @multicast2}, 0x6) setsockopt$inet_sctp6_SCTP_AUTH_CHUNK(r4, 0x84, 0x15, &(0x7f0000000400)={0x7f}, 0x1) r5 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r4, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:06 executing program 1 (fault-call:2 fault-nth:2): pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) 17:27:06 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x802) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="000000e5ffffff00", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio\x00', 0x4000, 0x0) r3 = getpid() ioctl$SNDRV_CTL_IOCTL_ELEM_ADD(r2, 0xc1105517, &(0x7f00000004c0)={{0x5, 0x3, 0x9, 0xfffffffffffffffe, '\x00', 0x9b3}, 0x1, 0x10, 0x1, r3, 0x2, 0x100000001, 'syz1\x00', &(0x7f0000000080)=['/dev/binder#\x00', ']\x00'], 0xf, [], [0x3, 0x6, 0x1]}) 17:27:06 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) ioctl$EVIOCGRAB(r2, 0x40044590, &(0x7f0000000100)=0x4) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2418.112468][T11984] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=syz3,mems_allowed=0-1,global_oom,task_memcg=/syz3,task=syz-executor.3,pid=8180,uid=0 [ 2418.127766][T11984] Out of memory: Killed process 8180 (syz-executor.3) total-vm:72580kB, anon-rss:4240kB, file-rss:35816kB, shmem-rss:0kB [ 2418.143148][ T1043] oom_reaper: reaped process 8180 (syz-executor.3), now anon-rss:0kB, file-rss:34856kB, shmem-rss:0kB [ 2418.223519][T12038] binder: 12034:12038 got transaction with invalid offset (0, min 0 max 24) or object. [ 2418.256757][T12033] FAT-fs (loop0): Unrecognized mount option "nnonumtail=1" or missing value [ 2418.280228][T12038] binder: 12034:12038 transaction failed 29201/-22, size 24-8 line 3241 [ 2418.309538][T12043] binder: 12034:12043 Release 1 refcount change on invalid ref 0 ret -22 17:27:07 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x2000c2604110, &(0x7f0000000000)) [ 2418.377523][T12043] binder_alloc: binder_alloc_mmap_handler: 12034 20001000-20004000 already mapped failed -16 17:27:07 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x5451, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2418.450309][T12038] binder: BINDER_SET_CONTEXT_MGR already set [ 2418.473915][T12049] binder_alloc: 12034: binder_alloc_buf, no vma 17:27:07 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, r0, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r3, 0x84, 0x22, &(0x7f0000000100)={0x6, 0x0, 0x3, 0x9, 0x0}, &(0x7f0000000140)=0x10) setsockopt$inet_sctp_SCTP_ASSOCINFO(r2, 0x84, 0x1, &(0x7f0000000180)={r4, 0x4, 0x1, 0x6, 0x8000, 0x1910a52e}, 0x14) ioctl$sock_inet_SIOCSIFDSTADDR(r3, 0x8918, &(0x7f0000000200)={'veth1_to_bridge\x00', {0x2, 0x4e21, @multicast2}}) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) mkdir(&(0x7f00000001c0)='./file0\x00', 0x1) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) [ 2418.545104][T12043] binder: 12034:12043 Release 1 refcount change on invalid ref 0 ret -22 17:27:07 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000000002, &(0x7f0000000000)) [ 2418.619986][T12038] binder: 12034:12038 ioctl 40046207 0 returned -16 [ 2418.623477][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 [ 2418.649454][T12049] binder: 12034:12049 transaction failed 29189/-3, size 24-8 line 3147 [ 2418.711953][T12655] binder: undelivered TRANSACTION_ERROR: 29189 17:27:07 executing program 4: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptmx\x00', 0x200000, 0x0) fcntl$F_GET_RW_HINT(r0, 0x40b, &(0x7f0000000140)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r1, 0xc010640b, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r1, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:27:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcs\x00', 0x440000, 0x0) ioctl$RTC_AIE_ON(r2, 0x7001) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="a30917b425f3264b"], 0x0, 0x0, 0x0}) 17:27:07 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x5452, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:27:07 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000004112, &(0x7f0000000000)) 17:27:07 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8002, 0x0, 0x0, 0xa0008000) [ 2418.928143][T12072] binder: 12071:12072 unknown command -1273558621 [ 2419.010455][T12072] binder: 12071:12072 ioctl c0306201 20000380 returned -22 17:27:07 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x5460, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2419.077413][T12072] binder: BINDER_SET_CONTEXT_MGR already set 17:27:07 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000004122, &(0x7f0000000000)) [ 2419.127714][T12072] binder: 12071:12072 ioctl 40046207 0 returned -16 [ 2419.189970][ T2678] binder: release 12071:12072 transaction 1497 out, still active [ 2419.197723][ T2678] binder: unexpected work type, 4, not freed [ 2419.197732][ T2678] binder: undelivered TRANSACTION_COMPLETE [ 2419.197817][ T2678] binder: send failed reply for transaction 1497, target dead [ 2419.217329][T12081] binder_alloc: 12071: binder_alloc_buf, no vma [ 2419.291152][T12081] binder: 12071:12081 transaction failed 29189/-3, size 24-8 line 3147 17:27:08 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8901, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:27:08 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000004140, &(0x7f0000000000)) [ 2419.350271][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:27:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000300)='/dev/dlm_plock\x00', 0x500, 0x0) getsockopt$TIPC_SOCK_RECVQ_DEPTH(r2, 0x10f, 0x84, &(0x7f0000000340), &(0x7f0000000640)=0x4) r3 = syz_open_dev$vcsa(&(0x7f0000000000)='/dev/vcsa#\x00', 0x6, 0x10040) r4 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000080)='TIPCv2\x00') sendmsg$TIPC_NL_UDP_GET_REMOTEIP(r3, &(0x7f0000000280)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x10002}, 0xc, &(0x7f0000000180)={&(0x7f00000000c0)={0x14, r4, 0x100, 0x70bd2b, 0x25dfdbfe}, 0x14}, 0x1, 0x0, 0x0, 0x10}, 0x4) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r5 = getpgrp(0x0) ptrace$setregs(0xf, r5, 0x0, &(0x7f00000002c0)="10e887") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f00000004c0)=ANY=[@ANYBLOB="00634040000000f50000000000000000000000000000000000000000000000000000000018000000000000000800000000000000eed8380d5a42030cb52eb88d9c589bf3b37addbcf18e627b6877671e42eb376ed18ef35c82c827acf78fe67653d9e2d0deb1e001817a6553781a7b2f584ba09e45942b82980256c89fde3733f66b48f0f7987cf275bf3bf6d37b2177f4ae0391caa2f2b275191b67001763c8e5c05fb09bbec6f51069d454229613adf1c4968157228ab0d09552b1da80b11bf4c87403ffad4811f5c93f71044ccb96e4f95911de9b8567900f238fc3ffb79804ece5f6b05c9d6656ced4c80eed4d000ea3ef1fa46589b775a725f505b70b5a09c45ce14a688969af44cbc087e4cc5fb4fe3832200f7bd1fee6676d7f480d581858cbcd6116db8a18adbe0393dba756428a50a0b6e5d0ea2d20b0d65ffade744863140d95dbeab522855157ab65106b1bf494684bca2e0000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:27:08 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/sys/net/ipv4/vs/expire_nodest_conn\x00', 0x2, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:08 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) fstat(r0, &(0x7f0000000100)) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(r0, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) getsockopt$inet_sctp6_SCTP_HMAC_IDENT(r2, 0x84, 0x16, &(0x7f0000000180)={0x6, [0x80000001, 0xd7a, 0xac20000000000, 0x80, 0x5, 0x60000000000000]}, &(0x7f00000001c0)=0x10) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:27:08 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8003, 0x0, 0x0, 0xa0008000) 17:27:08 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8902, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:27:08 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000004141, &(0x7f0000000000)) [ 2419.619774][T12102] binder: 12101:12102 got transaction to invalid handle [ 2419.679999][T12102] binder: 12101:12102 transaction failed 29201/-22, size 24-8 line 2994 [ 2419.696747][T12110] binder: 12101:12110 Release 1 refcount change on invalid ref 0 ret -22 17:27:08 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000004142, &(0x7f0000000000)) 17:27:08 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8903, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2419.825166][T12110] binder_alloc: binder_alloc_mmap_handler: 12101 20001000-20004000 already mapped failed -16 [ 2419.946167][T12110] binder: BINDER_SET_CONTEXT_MGR already set [ 2419.985447][T12110] binder: 12101:12110 ioctl 40046207 0 returned -16 [ 2419.992683][T12102] binder: 12101:12102 got transaction to invalid handle 17:27:08 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000004143, &(0x7f0000000000)) 17:27:08 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8904, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2420.065704][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 [ 2420.093592][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 17:27:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="006340400000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="0c730440"], 0x0, 0x0, 0x0}) 17:27:08 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) ioctl$SIOCSIFMTU(r2, 0x8922, &(0x7f0000000100)={'eql\x00', 0x6}) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x0, 0x0, 0xa0008000) 17:27:08 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000004144, &(0x7f0000000000)) 17:27:09 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8009, 0x0, 0x0, 0xa0008000) [ 2420.236504][T12134] binder_alloc: 12133: binder_alloc_buf size 633318697599040 failed, no address space 17:27:09 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(r0, 0x0, 0x111000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2420.294841][T12134] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) 17:27:09 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8905, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:27:09 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000004147, &(0x7f0000000000)) [ 2420.364535][T12142] binder: 12133:12142 unknown command 1074033420 [ 2420.408221][T12142] binder: 12133:12142 ioctl c0306201 20000380 returned -22 [ 2420.457021][T12142] binder_alloc: binder_alloc_mmap_handler: 12133 20001000-20004000 already mapped failed -16 17:27:09 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000004148, &(0x7f0000000000)) [ 2420.549299][T12134] binder: BINDER_SET_CONTEXT_MGR already set [ 2420.600598][T12134] binder: 12133:12134 ioctl 40046207 0 returned -16 [ 2420.615686][T12159] binder_alloc: 12133: binder_alloc_buf, no vma 17:27:09 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8906, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:27:09 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000004161, &(0x7f0000000000)) [ 2420.700336][ T2678] binder: undelivered TRANSACTION_ERROR: 29201 [ 2420.722385][ T2678] binder: undelivered TRANSACTION_ERROR: 29189 17:27:09 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000000)=ANY=[@ANYBLOB="002b49aac4000000d6884f1d5a5f1ed0003a924e48f58ade0a19bacab7f899fd0844b849181502e92422e8f317b7403d04c14a13b0a3"]], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000380)={0x4, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="06630440"], 0x0, 0x0, 0x0}) 17:27:09 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) ioctl$SNDRV_CTL_IOCTL_TLV_WRITE(r2, 0xc008551b, &(0x7f0000000100)={0x6, 0x10, [0x2, 0x7, 0x6, 0x8]}) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) 17:27:09 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000005421, &(0x7f0000000000)) 17:27:09 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8907, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2420.905679][T12174] ------------[ cut here ]------------ [ 2420.911183][T12174] kernel BUG at drivers/android/binder_alloc.c:1141! [ 2420.937911][T12174] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 2420.944015][T12174] CPU: 0 PID: 12174 Comm: syz-executor.5 Not tainted 5.1.0-rc2+ #39 [ 2420.951990][T12174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 2420.962124][T12174] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 2420.968623][T12174] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 1f f8 23 fc 4c 89 e6 4c 89 ef e8 34 f9 23 fc 4d 39 e5 76 07 e8 0a f8 23 fc <0f> 0b e8 03 f8 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 11 [ 2420.988248][T12174] RSP: 0018:ffff88809094f550 EFLAGS: 00010212 [ 2420.994308][T12174] RAX: 0000000000040000 RBX: 0000000020001000 RCX: ffffc9001088c000 [ 2421.002271][T12174] RDX: 0000000000000409 RSI: ffffffff854c7976 RDI: 0000000000000006 [ 2421.010236][T12174] RBP: ffff88809094f5d0 R08: ffff88809659a200 R09: 0000000000000028 [ 2421.018201][T12174] R10: ffffed1012129f01 R11: ffff88809094f80f R12: 0000000000000020 [ 2421.026165][T12174] R13: 0000000000000028 R14: ffff8880a0404b10 R15: 0000000000000000 [ 2421.040213][T12174] FS: 00007f23dea98700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 2421.049131][T12174] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2421.055705][T12174] CR2: 0000000000a544e0 CR3: 0000000099b7d000 CR4: 00000000001426f0 [ 2421.065130][T12174] Call Trace: [ 2421.068424][T12174] ? memcpy+0x46/0x50 [ 2421.072411][T12174] binder_alloc_copy_from_buffer+0x37/0x42 [ 2421.078272][T12174] binder_get_object+0xc3/0x200 [ 2421.083125][T12174] binder_transaction+0x2b4a/0x6690 [ 2421.088332][T12174] ? binder_thread_read+0x3d50/0x3d50 [ 2421.093700][T12174] ? __lock_acquire+0x548/0x3fb0 [ 2421.098643][T12174] ? __might_fault+0x12b/0x1e0 [ 2421.103414][T12174] ? lock_downgrade+0x880/0x880 [ 2421.108266][T12174] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 2421.114503][T12174] ? _copy_from_user+0xdd/0x150 [ 2421.119350][T12174] binder_thread_write+0x64a/0x2820 [ 2421.124551][T12174] ? binder_transaction+0x6690/0x6690 [ 2421.129920][T12174] ? __might_fault+0x12b/0x1e0 [ 2421.134690][T12174] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 2421.140930][T12174] ? _copy_from_user+0xdd/0x150 [ 2421.145776][T12174] binder_ioctl+0x1033/0x183b [ 2421.150454][T12174] ? binder_thread_write+0x2820/0x2820 [ 2421.155907][T12174] ? tomoyo_path_number_perm+0x263/0x520 [ 2421.161533][T12174] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 2421.167971][T12174] ? binder_thread_write+0x2820/0x2820 [ 2421.173428][T12174] do_vfs_ioctl+0xd6e/0x1390 [ 2421.178018][T12174] ? ioctl_preallocate+0x210/0x210 [ 2421.183127][T12174] ? __fget+0x381/0x550 [ 2421.187278][T12174] ? ksys_dup3+0x3e0/0x3e0 [ 2421.191743][T12174] ? nsecs_to_jiffies+0x30/0x30 [ 2421.196598][T12174] ? tomoyo_file_ioctl+0x23/0x30 [ 2421.201530][T12174] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 2421.207767][T12174] ? security_file_ioctl+0x93/0xc0 [ 2421.212874][T12174] ksys_ioctl+0xab/0xd0 [ 2421.217028][T12174] __x64_sys_ioctl+0x73/0xb0 [ 2421.221627][T12174] do_syscall_64+0x103/0x610 [ 2421.226221][T12174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 2421.232109][T12174] RIP: 0033:0x458209 [ 2421.235999][T12174] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 2421.255592][T12174] RSP: 002b:00007f23dea97c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 2421.264003][T12174] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 2421.272139][T12174] RDX: 00000000200001c0 RSI: 00000000c0306201 RDI: 0000000000000003 [ 2421.280103][T12174] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 2421.288073][T12174] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f23dea986d4 [ 2421.296035][T12174] R13: 00000000004bf49a R14: 00000000004d0e80 R15: 00000000ffffffff 17:27:10 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(0x0, 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, 0x0) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff80fe, 0x0, 0x0, 0xa0008000) 17:27:10 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, 0x0) mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) perf_event_open$cgroup(&(0x7f0000000100)={0x6, 0x70, 0x7ff00000000, 0x1, 0xfffffffffffffffd, 0x100000000, 0x0, 0x5, 0x80000, 0x8, 0xd91b, 0x5, 0x2, 0x0, 0x20, 0x263, 0x80000000, 0x8, 0x90, 0x7, 0xfffffffffffffff9, 0x4, 0x6, 0x2, 0xfff, 0xa11, 0x1, 0xffffffffffffffff, 0x100, 0xfffffffffffffeff, 0x5dc00000000000, 0x8, 0x4, 0x2, 0x7, 0x3, 0x80000001, 0x7ff, 0x0, 0x80000000, 0x2, @perf_config_ext={0xffffffffffffffff, 0x74b}, 0x80, 0x5508000000000000, 0x5, 0xf, 0x9, 0x34327d53, 0x389}, r0, 0xe, 0xffffffffffffffff, 0x0) r2 = openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r3 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) epoll_ctl$EPOLL_CTL_MOD(r0, 0x3, r2, &(0x7f0000000200)={0x1}) r4 = getpgrp(0x0) perf_event_open(&(0x7f0000000180)={0x4, 0x70, 0x2, 0x5, 0x1f, 0x80, 0x0, 0x3, 0x40, 0xb, 0x101, 0x80000001, 0x3, 0x5, 0x80000001, 0x6, 0x8, 0x673, 0x8000, 0x2, 0x2, 0x200, 0xff, 0x40, 0x20464e9d, 0x1f, 0x5, 0x7f, 0x571, 0x5, 0x2, 0x28f, 0x8, 0xffffffff, 0x5, 0x9, 0x11e6f82f, 0x34e6, 0x0, 0x200, 0x4, @perf_config_ext={0x5, 0xd7}, 0x2000, 0xffffffff, 0x5, 0x7, 0xfffffffffffff9da, 0x5, 0x4}, r4, 0xf, r2, 0x2) ioctl$int_in(r3, 0x5473, &(0x7f0000000240)=0x4) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r5 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) syz_init_net_socket$netrom(0x6, 0x5, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x40, 0x0, 0x0) [ 2421.304020][T12174] Modules linked in: [ 2421.312788][T12174] ---[ end trace eadd86f2ea13c35e ]--- [ 2421.318430][T12176] binder: 12173:12176 Release 1 refcount change on invalid ref 0 ret -22 [ 2421.333843][ T3876] kobject: 'loop3' (0000000092ab2744): kobject_uevent_env [ 2421.354654][ T3876] kobject: 'loop3' (0000000092ab2744): fill_kobj_path: path = '/devices/virtual/block/loop3' [ 2421.361368][T12174] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 2421.378370][ T3876] kobject: 'loop1' (0000000023e6b454): kobject_uevent_env [ 2421.387545][ T3876] kobject: 'loop1' (0000000023e6b454): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 2421.398897][T12174] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 1f f8 23 fc 4c 89 e6 4c 89 ef e8 34 f9 23 fc 4d 39 e5 76 07 e8 0a f8 23 fc <0f> 0b e8 03 f8 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 11 [ 2421.439936][T12174] RSP: 0018:ffff88809094f550 EFLAGS: 00010212 [ 2421.454617][T12174] RAX: 0000000000040000 RBX: 0000000020001000 RCX: ffffc9001088c000 [ 2421.456875][T12182] kobject: 'kvm' (0000000041acf01f): kobject_uevent_env [ 2421.474219][T12182] kobject: 'kvm' (0000000041acf01f): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 2421.477011][T12174] RDX: 0000000000000409 RSI: ffffffff854c7976 RDI: 0000000000000006 [ 2421.504720][T12185] kobject: 'kvm' (0000000041acf01f): kobject_uevent_env [ 2421.511809][T12185] kobject: 'kvm' (0000000041acf01f): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 2421.519913][T12174] RBP: ffff88809094f5d0 R08: ffff88809659a200 R09: 0000000000000028 [ 2421.525446][T12178] kobject: 'kvm' (0000000041acf01f): kobject_uevent_env [ 2421.538703][T12178] kobject: 'kvm' (0000000041acf01f): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 2421.539938][T12174] R10: ffffed1012129f01 R11: ffff88809094f80f R12: 0000000000000020 [ 2421.574475][T12178] kobject: 'kvm' (0000000041acf01f): kobject_uevent_env [ 2421.577415][T12174] R13: 0000000000000028 R14: ffff8880a0404b10 R15: 0000000000000000 [ 2421.581613][T12178] kobject: 'kvm' (0000000041acf01f): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 2421.609879][T12174] FS: 00007f23dea98700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 17:27:10 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000005450, &(0x7f0000000000)) 17:27:10 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8908, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) 17:27:10 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0xc298, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0) openat(0xffffffffffffffff, 0x0, 0x80000, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0xffffffffffffffff, 0x2) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) ioctl$TCGETS(r0, 0x5401, &(0x7f0000000040)) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) getsockopt$inet_IP_IPSEC_POLICY(r2, 0x0, 0x10, &(0x7f0000000140)={{{@in6=@local, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast2}, 0x0, @in6=@mcast2}}, &(0x7f0000000240)=0xe8) getgroups(0x1, &(0x7f0000000280)=[0xffffffffffffffff]) fchownat(r0, &(0x7f0000000100)='./file0\x00', r4, r5, 0x1800) r6 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, r6, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x705000ffff8000, 0x500180de7f0000, 0x0, 0x0) [ 2421.625087][ T3876] kobject: 'loop4' (00000000095d938a): kobject_uevent_env [ 2421.647271][T12174] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 17:27:10 executing program 1: pselect6(0x40, &(0x7f0000000000)={0x0, 0x40003, 0x0, 0x0, 0x100000000000000}, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x1c9c380}, &(0x7f0000000080)={&(0x7f0000000100), 0x2}) r0 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) ioctl(r0, 0x200000005451, &(0x7f0000000000)) [ 2421.680923][ T3876] kobject: 'loop4' (00000000095d938a): fill_kobj_path: path = '/devices/virtual/block/loop4' [ 2421.698581][T12174] CR2: 000000000070cbb4 CR3: 0000000099b7d000 CR4: 00000000001426f0 [ 2421.709437][T12176] binder_alloc: binder_alloc_mmap_handler: 12173 20001000-20004000 already mapped failed -16 17:27:10 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x0, 0x0) write$P9_RWSTAT(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000500)={'sit0\x00\x00\x00\x00\x00\x00\x00\xd6\x00'}) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ion(0xffffffffffffff9c, 0x0, 0x0, 0x0) syz_init_net_socket$llc(0x1a, 0x1, 0x0) dup(r1) r2 = openat$userio(0xffffffffffffff9c, 0x0, 0x2, 0x0) setsockopt$CAIFSO_REQ_PARAM(0xffffffffffffffff, 0x116, 0x80, 0x0, 0x0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r2, 0x0, 0x0) socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8909, &(0x7f00000000c0)={'sit0\x00\x00\xff\xff\xff\xff\xa0\x00Q\xfc\x03\x00', 0x141}) [ 2421.746602][ T3876] kobject: 'loop1' (0000000023e6b454): kobject_uevent_env [ 2421.748523][T12200] kobject: 'kvm' (0000000041acf01f): kobject_uevent_env [ 2421.775569][ T3876] kobject: 'loop1' (0000000023e6b454): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 2421.787425][T12176] binder: BINDER_SET_CONTEXT_MGR already set [ 2421.797997][T12204] binder_alloc: 12173: binder_alloc_buf, no vma [ 2421.798816][T12205] kobject: 'kvm' (0000000041acf01f): kobject_uevent_env [ 2421.810257][T12200] kobject: 'kvm' (0000000041acf01f): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 2421.816936][T12188] kobject: 'kvm' (0000000041acf01f): kobject_uevent_env [ 2421.823495][T12176] binder: 12173:12176 ioctl 40046207 0 returned -16 [ 2421.828633][T12174] Kernel panic - not syncing: Fatal exception [ 2421.841742][T12174] Kernel Offset: disabled [ 2421.846061][T12174] Rebooting in 86400 seconds..