0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:50 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x6c}], 0x0, 0x0, 0x0})

17:33:50 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x500)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  423.079818][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  423.085684][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:33:50 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  423.150721][T12068] binder: BINDER_SET_CONTEXT_MGR already set
17:33:50 executing program 4:
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r0, 0x8}, {r0, 0x1}, {r0, 0x7c5bbb9ab24de92b}, {0xffffffffffffffff, 0x2000}, {0xffffffffffffffff, 0x202}, {0xffffffffffffffff, 0x4}, {r0, 0x1}], 0x7, 0x100000001)

17:33:50 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xc0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  423.192328][   T12] binder: release 12066:12068 transaction 813 out, still active
[  423.204630][T12068] binder: 12066:12068 ioctl 40046207 0 returned -16
[  423.219841][   T12] binder: unexpected work type, 4, not freed
[  423.232927][   T12] binder: send failed reply for transaction 813, target dead
[  423.240442][    C0] protocol 88fb is buggy, dev hsr_slave_0
17:33:50 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:50 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x74}], 0x0, 0x0, 0x0})

17:33:50 executing program 4:
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r0, 0x8}, {r0, 0x1}, {r0, 0x7c5bbb9ab24de92b}, {0xffffffffffffffff, 0x2000}, {0xffffffffffffffff, 0x202}, {0xffffffffffffffff, 0x4}, {r0, 0x1}], 0x7, 0x100000001)

[  423.373545][T12089] binder: BINDER_SET_CONTEXT_MGR already set
[  423.408631][   T12] binder: release 12087:12089 transaction 818 out, still active
[  423.417391][T12089] binder: 12087:12089 ioctl 40046207 0 returned -16
17:33:50 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  423.450693][   T12] binder: unexpected work type, 4, not freed
[  423.456901][   T12] binder: send failed reply for transaction 818, target dead
17:33:50 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:50 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x7a}], 0x0, 0x0, 0x0})

17:33:50 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:50 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x600)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:50 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  423.637064][T12107] binder: BINDER_SET_CONTEXT_MGR already set
[  423.654234][   T12] binder: release 12105:12107 transaction 823 out, still active
[  423.664283][T12107] binder: 12105:12107 ioctl 40046207 0 returned -16
[  423.676635][   T12] binder: unexpected work type, 4, not freed
17:33:51 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
poll(&(0x7f0000000000)=[{0xffffffffffffffff, 0x8}, {0xffffffffffffffff, 0x1}, {0xffffffffffffffff, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {0xffffffffffffffff, 0x1}], 0x7, 0x100000001)

17:33:51 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x300)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  423.691941][   T12] binder_release_work: 4 callbacks suppressed
[  423.691946][   T12] binder: undelivered TRANSACTION_COMPLETE
17:33:51 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x300}], 0x0, 0x0, 0x0})

[  423.786302][   T12] binder: send failed reply for transaction 823, target dead
17:33:51 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:51 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
poll(&(0x7f0000000000)=[{0xffffffffffffffff, 0x8}, {0xffffffffffffffff, 0x1}, {0xffffffffffffffff, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {0xffffffffffffffff, 0x1}], 0x7, 0x100000001)

[  423.867313][T12127] binder_thread_write: 8 callbacks suppressed
[  423.912434][T12127] binder: 12126:12127 IncRefs 0 refcount change on invalid ref 768 ret -22
17:33:51 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  423.978256][T12127] binder: BINDER_SET_CONTEXT_MGR already set
17:33:51 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
poll(&(0x7f0000000000)=[{0xffffffffffffffff, 0x8}, {0xffffffffffffffff, 0x1}, {0xffffffffffffffff, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {0xffffffffffffffff, 0x1}], 0x7, 0x100000001)

[  424.024118][T12127] binder: 12126:12127 ioctl 40046207 0 returned -16
[  424.039894][   T12] binder_release_work: 11 callbacks suppressed
[  424.039902][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:33:51 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:51 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x500}], 0x0, 0x0, 0x0})

[  424.099242][   T12] binder: send failed reply for transaction 828 to 12126:12127
[  424.128246][   T12] binder: undelivered TRANSACTION_COMPLETE
17:33:51 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x10000c0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  424.149790][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  424.180188][T12149] binder: 12145:12149 IncRefs 0 refcount change on invalid ref 1280 ret -22
[  424.211957][T12149] binder: BINDER_SET_CONTEXT_MGR already set
[  424.233060][   T12] binder: release 12145:12149 transaction 833 out, still active
[  424.244385][T12149] binder: 12145:12149 ioctl 40046207 0 returned -16
17:33:51 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x700)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:51 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:51 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  424.277106][   T12] binder: unexpected work type, 4, not freed
[  424.296431][   T12] binder: undelivered TRANSACTION_COMPLETE
[  424.335795][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  424.371367][   T12] binder: send failed reply for transaction 833, target dead
17:33:51 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x500)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:51 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x600}], 0x0, 0x0, 0x0})

17:33:51 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:51 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  424.472180][T12169] binder: 12166:12169 IncRefs 0 refcount change on invalid ref 1536 ret -22
17:33:51 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:51 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  424.548194][T12177] binder_alloc_mmap_handler: 5 callbacks suppressed
[  424.548211][T12177] binder_alloc: binder_alloc_mmap_handler: 12166 20001000-20004000 already mapped failed -16
17:33:51 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x17e5000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  424.609512][T12169] binder: BINDER_SET_CONTEXT_MGR already set
[  424.632781][T12169] binder: 12166:12169 ioctl 40046207 0 returned -16
[  424.661203][T12185] binder_alloc_new_buf_locked: 5 callbacks suppressed
[  424.661212][T12185] binder_alloc: 12166: binder_alloc_buf, no vma
17:33:52 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:52 executing program 1:
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r0, 0x8}, {r0, 0x1}, {r0, 0x7c5bbb9ab24de92b}, {0xffffffffffffffff, 0x2000}, {0xffffffffffffffff, 0x202}, {0xffffffffffffffff, 0x4}, {r0, 0x1}], 0x7, 0x100000001)

[  424.752631][T12169] binder: 12166:12169 IncRefs 0 refcount change on invalid ref 1536 ret -22
17:33:52 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x900)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  424.796784][T12185] binder_transaction: 5 callbacks suppressed
[  424.796801][T12185] binder: 12166:12185 transaction failed 29189/-3, size 24-8 line 3147
[  424.821428][   T12] binder: send failed reply for transaction 838 to 12166:12169
17:33:52 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x700}], 0x0, 0x0, 0x0})

[  424.859882][   T12] binder: undelivered TRANSACTION_COMPLETE
[  424.872558][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  424.896546][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:33:52 executing program 1:
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r0, 0x8}, {r0, 0x1}, {r0, 0x7c5bbb9ab24de92b}, {0xffffffffffffffff, 0x2000}, {0xffffffffffffffff, 0x202}, {0xffffffffffffffff, 0x4}, {r0, 0x1}], 0x7, 0x100000001)

17:33:52 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x600)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:52 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:52 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1807000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  425.046756][T12205] binder: 12203:12205 IncRefs 0 refcount change on invalid ref 1792 ret -22
17:33:52 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  425.091844][T12231] binder_alloc: binder_alloc_mmap_handler: 12203 20001000-20004000 already mapped failed -16
[  425.112243][T12205] binder: BINDER_SET_CONTEXT_MGR already set
[  425.119157][T12205] binder: 12203:12205 ioctl 40046207 0 returned -16
[  425.134257][T12231] binder_alloc: 12203: binder_alloc_buf, no vma
[  425.145230][T12231] binder: 12203:12231 transaction failed 29189/-3, size 24-8 line 3147
[  425.177557][   T12] binder: release 12203:12205 transaction 843 out, still active
[  425.198361][   T12] binder: unexpected work type, 4, not freed
17:33:52 executing program 1:
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r0, 0x8}, {r0, 0x1}, {r0, 0x7c5bbb9ab24de92b}, {0xffffffffffffffff, 0x2000}, {0xffffffffffffffff, 0x202}, {0xffffffffffffffff, 0x4}, {r0, 0x1}], 0x7, 0x100000001)

17:33:52 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0xa00}], 0x0, 0x0, 0x0})

[  425.246115][   T12] binder: undelivered TRANSACTION_COMPLETE
[  425.269594][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:33:52 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:52 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa00)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:52 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  425.322128][   T12] binder: send failed reply for transaction 843, target dead
[  425.360867][T12332] binder: 12331:12332 IncRefs 0 refcount change on invalid ref 2560 ret -22
17:33:52 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x2000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:52 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  425.451963][T12338] binder_alloc: binder_alloc_mmap_handler: 12331 20001000-20004000 already mapped failed -16
17:33:52 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x700)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  425.545027][T12332] binder: BINDER_SET_CONTEXT_MGR already set
17:33:52 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:52 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  425.588187][T12332] binder: 12331:12332 ioctl 40046207 0 returned -16
[  425.619121][T12352] binder_alloc: 12331: binder_alloc_buf, no vma
[  425.647306][T12338] binder: 12331:12338 IncRefs 0 refcount change on invalid ref 2560 ret -22
[  425.682346][   T12] binder: release 12331:12332 transaction 848 out, still active
[  425.694405][T12352] binder: 12331:12352 transaction failed 29189/-3, size 24-8 line 3147
[  425.705343][   T12] binder: unexpected work type, 4, not freed
[  425.715725][   T12] binder: undelivered TRANSACTION_COMPLETE
17:33:53 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:53 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x2000}], 0x0, 0x0, 0x0})

17:33:53 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  425.748181][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  425.775832][   T12] binder: send failed reply for transaction 848, target dead
17:33:53 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  425.870929][T12369] binder: 12368:12369 IncRefs 0 refcount change on invalid ref 8192 ret -22
[  425.899443][T12372] binder_alloc: binder_alloc_mmap_handler: 12368 20001000-20004000 already mapped failed -16
17:33:53 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  425.922043][T12369] binder: BINDER_SET_CONTEXT_MGR already set
[  425.940147][T12369] binder: 12368:12369 ioctl 40046207 0 returned -16
[  425.963472][T12372] binder_alloc: 12368: binder_alloc_buf, no vma
[  426.035528][   T12] binder: release 12368:12369 transaction 853 out, still active
[  426.046405][T12372] binder: 12368:12372 transaction failed 29189/-3, size 24-8 line 3147
[  426.062113][   T12] binder: unexpected work type, 4, not freed
17:33:53 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb00)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:53 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x900)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:53 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x3000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:53 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  426.082072][   T12] binder: undelivered TRANSACTION_COMPLETE
17:33:53 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:53 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x3f00}], 0x0, 0x0, 0x0})

[  426.133321][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  426.161998][   T12] binder: send failed reply for transaction 853, target dead
17:33:53 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:53 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  426.269982][T12398] binder: 12395:12398 IncRefs 0 refcount change on invalid ref 16128 ret -22
[  426.333278][T12407] binder_alloc: binder_alloc_mmap_handler: 12395 20001000-20004000 already mapped failed -16
17:33:53 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  426.398504][T12398] binder: BINDER_SET_CONTEXT_MGR already set
[  426.417369][T12398] binder: 12395:12398 ioctl 40046207 0 returned -16
[  426.445837][T12410] binder_alloc: 12395: binder_alloc_buf, no vma
[  426.457928][T12410] binder: 12395:12410 transaction failed 29189/-3, size 24-8 line 3147
[  426.484128][T12398] binder: 12395:12398 IncRefs 0 refcount change on invalid ref 16128 ret -22
17:33:53 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa00)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:53 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:53 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  426.502791][   T12] binder: release 12395:12398 transaction 858 out, still active
[  426.541593][   T12] binder: unexpected work type, 4, not freed
[  426.574138][   T12] binder: undelivered TRANSACTION_COMPLETE
[  426.625098][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  426.655423][   T12] binder: send failed reply for transaction 858, target dead
17:33:54 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xd00)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:54 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x4800}], 0x0, 0x0, 0x0})

17:33:54 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:54 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  426.758368][T12435] binder_alloc: binder_alloc_mmap_handler: 12427 20001000-20004000 already mapped failed -16
17:33:54 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  426.809150][T12434] binder: BINDER_SET_CONTEXT_MGR already set
[  426.839809][    C1] net_ratelimit: 17 callbacks suppressed
[  426.839817][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  426.849945][T12434] binder: 12427:12434 ioctl 40046207 0 returned -16
17:33:54 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  426.851344][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  426.872560][T12441] binder_alloc: 12427: binder_alloc_buf, no vma
17:33:54 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  426.945161][T12441] binder: 12427:12441 transaction failed 29189/-3, size 24-8 line 3147
[  426.961050][   T12] binder: send failed reply for transaction 863 to 12427:12434
17:33:54 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:54 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x4c00}], 0x0, 0x0, 0x0})

[  426.989529][   T12] binder: undelivered TRANSACTION_COMPLETE
[  427.014726][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:33:54 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb00)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:54 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:54 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x5000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:54 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1400)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:54 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  427.157639][T12463] binder_alloc: binder_alloc_mmap_handler: 12456 20001000-20004000 already mapped failed -16
17:33:54 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  427.228197][T12458] binder: BINDER_SET_CONTEXT_MGR already set
[  427.239804][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  427.245683][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  427.266250][T12458] binder: 12456:12458 ioctl 40046207 0 returned -16
[  427.313171][   T12] binder: release 12456:12458 transaction 868 out, still active
17:33:54 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  427.359891][   T12] binder: unexpected work type, 4, not freed
[  427.365979][   T12] binder: undelivered TRANSACTION_COMPLETE
[  427.366097][   T12] binder: send failed reply for transaction 868, target dead
[  427.399838][    C0] protocol 88fb is buggy, dev hsr_slave_0
17:33:54 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(0x0, 0x0, 0x100000001)

[  427.405673][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:33:54 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x6000}], 0x0, 0x0, 0x0})

17:33:54 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  427.558290][T12494] binder_alloc: binder_alloc_mmap_handler: 12490 20001000-20004000 already mapped failed -16
17:33:54 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xd00)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:54 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x6000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:54 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(0x0, 0x0, 0x100000001)

[  427.598602][T12491] binder: BINDER_SET_CONTEXT_MGR already set
[  427.616165][T12491] binder: 12490:12491 ioctl 40046207 0 returned -16
17:33:54 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  427.684672][T12494] binder_alloc: 12490: binder_alloc_buf, no vma
[  427.700885][   T12] binder: send failed reply for transaction 872 to 12490:12491
[  427.728602][T12494] binder: 12490:12494 transaction failed 29189/-3, size 24-8 line 3147
17:33:55 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(0x0, 0x0, 0x100000001)

17:33:55 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x2000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:55 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:55 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x6800}], 0x0, 0x0, 0x0})

[  427.879850][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  427.885667][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:33:55 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  427.962375][T12526] binder_alloc: binder_alloc_mmap_handler: 12523 20001000-20004000 already mapped failed -16
17:33:55 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  428.018473][T12525] binder: BINDER_SET_CONTEXT_MGR already set
17:33:55 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}], 0x6, 0x100000001)

[  428.060679][T12525] binder: 12523:12525 ioctl 40046207 0 returned -16
[  428.101789][T12531] binder_alloc: 12523: binder_alloc_buf, no vma
17:33:55 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  428.150908][T12531] binder: 12523:12531 transaction failed 29189/-3, size 24-8 line 3147
[  428.185178][   T12] binder: send failed reply for transaction 877 to 12523:12525
17:33:55 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1400)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:55 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}], 0x5, 0x100000001)

17:33:55 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x6c00}], 0x0, 0x0, 0x0})

17:33:55 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:55 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x3f00)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:55 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}], 0x4, 0x100000001)

[  428.348169][T12555] binder_alloc: binder_alloc_mmap_handler: 12550 20001000-20004000 already mapped failed -16
[  428.382570][T12552] binder: BINDER_SET_CONTEXT_MGR already set
[  428.396615][T12555] binder_alloc: 12550: binder_alloc_buf, no vma
[  428.450401][   T12] binder: release 12550:12552 transaction 882 out, still active
[  428.458618][T12552] binder: 12550:12552 ioctl 40046207 0 returned -16
[  428.483557][   T12] binder: unexpected work type, 4, not freed
17:33:55 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  428.501625][T12555] binder: 12550:12555 transaction failed 29189/-3, size 24-8 line 3147
[  428.515307][   T12] binder: send failed reply for transaction 882, target dead
17:33:55 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:55 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}], 0x3, 0x100000001)

17:33:55 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x7400}], 0x0, 0x0, 0x0})

17:33:56 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  428.679811][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  428.679849][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  428.705879][T12578] binder: BINDER_SET_CONTEXT_MGR already set
17:33:56 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x2000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  428.750805][T12580] binder_alloc: 12574: binder_alloc_buf, no vma
[  428.765100][   T12] binder: release 12574:12578 transaction 887 out, still active
[  428.773609][T12578] binder: 12574:12578 ioctl 40046207 0 returned -16
17:33:56 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

17:33:56 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}], 0x2, 0x100000001)

[  428.800080][   T12] binder: unexpected work type, 4, not freed
[  428.818147][T12580] binder: 12574:12580 transaction failed 29189/-3, size 24-8 line 3147
[  428.832070][   T12] binder_release_work: 3 callbacks suppressed
[  428.832076][   T12] binder: undelivered TRANSACTION_COMPLETE
17:33:56 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x7a00}], 0x0, 0x0, 0x0})

[  428.898861][   T12] binder: send failed reply for transaction 887, target dead
17:33:56 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:56 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}], 0x1, 0x100000001)

17:33:56 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  429.010645][T12600] binder_thread_write: 6 callbacks suppressed
[  429.010660][T12600] binder: 12598:12600 IncRefs 0 refcount change on invalid ref 31232 ret -22
17:33:56 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:56 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000), 0x0, 0x100000001)

[  429.134744][T12600] binder: BINDER_SET_CONTEXT_MGR already set
[  429.164258][   T12] binder: release 12598:12600 transaction 892 out, still active
[  429.172630][T12600] binder: 12598:12600 ioctl 40046207 0 returned -16
[  429.179277][   T12] binder: unexpected work type, 4, not freed
17:33:56 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  429.215519][   T12] binder: undelivered TRANSACTION_COMPLETE
[  429.240647][   T12] binder_release_work: 7 callbacks suppressed
[  429.240654][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:33:56 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x1000000}], 0x0, 0x0, 0x0})

17:33:56 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  429.314608][   T12] binder: send failed reply for transaction 892, target dead
17:33:56 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000), 0x0, 0x100000001)

[  429.356962][T12625] binder: 12624:12625 IncRefs 0 refcount change on invalid ref 16777216 ret -22
[  429.388798][T12625] binder: BINDER_SET_CONTEXT_MGR already set
17:33:56 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}, {r1, 0x1}], 0x7, 0x100000001)

[  429.412543][   T12] binder: release 12624:12625 transaction 897 out, still active
[  429.424180][T12625] binder: 12624:12625 ioctl 40046207 0 returned -16
[  429.441179][   T12] binder: unexpected work type, 4, not freed
[  429.447222][   T12] binder: undelivered TRANSACTION_COMPLETE
17:33:56 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:56 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000), 0x0, 0x100000001)

[  429.490460][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  429.496892][   T12] binder: send failed reply for transaction 897, target dead
17:33:56 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x5000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:56 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x2000000}], 0x0, 0x0, 0x0})

17:33:56 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(0x0, 0x0, 0x100000001)

17:33:57 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{0xffffffffffffffff, 0x8}], 0x1, 0x100000001)

[  429.655850][T12647] binder: 12645:12647 IncRefs 0 refcount change on invalid ref 33554432 ret -22
17:33:57 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(0x0, 0x0, 0x100000001)

[  429.761663][T12657] binder_alloc_mmap_handler: 3 callbacks suppressed
[  429.761762][T12657] binder_alloc: binder_alloc_mmap_handler: 12645 20001000-20004000 already mapped failed -16
17:33:57 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x5000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:57 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{0xffffffffffffffff, 0x8}], 0x1, 0x100000001)

[  429.840346][T12647] binder: BINDER_SET_CONTEXT_MGR already set
[  429.864822][T12647] binder: 12645:12647 ioctl 40046207 0 returned -16
17:33:57 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(0x0, 0x0, 0x100000001)

[  429.909180][T12664] binder_alloc_new_buf_locked: 2 callbacks suppressed
[  429.909188][T12664] binder_alloc: 12645: binder_alloc_buf, no vma
17:33:57 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x9000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  429.975046][T12647] binder: 12645:12647 IncRefs 0 refcount change on invalid ref 33554432 ret -22
17:33:57 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{0xffffffffffffffff, 0x8}], 0x1, 0x100000001)

[  430.020771][   T12] binder: release 12645:12647 transaction 902 out, still active
[  430.029343][T12664] binder_transaction: 2 callbacks suppressed
[  430.029362][T12664] binder: 12645:12664 transaction failed 29189/-3, size 24-8 line 3147
[  430.062835][   T12] binder: unexpected work type, 4, not freed
[  430.096617][   T12] binder: undelivered TRANSACTION_COMPLETE
17:33:57 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}, {r0, 0x4}], 0x6, 0x100000001)

[  430.122195][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  430.130312][   T12] binder: send failed reply for transaction 902, target dead
17:33:57 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x3000000}], 0x0, 0x0, 0x0})

17:33:57 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x60ff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:57 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:33:57 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}, {r0, 0x202}], 0x5, 0x100000001)

[  430.274190][T12691] binder: 12685:12691 IncRefs 0 refcount change on invalid ref 50331648 ret -22
17:33:57 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x60ff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  430.336622][T12694] binder_alloc: binder_alloc_mmap_handler: 12685 20001000-20004000 already mapped failed -16
17:33:57 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x0)

[  430.407179][T12691] binder: BINDER_SET_CONTEXT_MGR already set
[  430.437333][T12691] binder: 12685:12691 ioctl 40046207 0 returned -16
17:33:57 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  430.473870][T12704] binder_alloc: 12685: binder_alloc_buf, no vma
[  430.518753][T12704] binder: 12685:12704 transaction failed 29189/-3, size 24-8 line 3147
17:33:57 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}, {r0, 0x2000}], 0x4, 0x100000001)

17:33:57 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x0)

17:33:57 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7400)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  430.562769][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  430.585903][   T12] binder: send failed reply for transaction 907 to 12685:12691
17:33:57 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x4000000}], 0x0, 0x0, 0x0})

[  430.641816][   T12] binder: undelivered TRANSACTION_COMPLETE
[  430.686066][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  430.717125][T12723] binder: 12722:12723 IncRefs 0 refcount change on invalid ref 67108864 ret -22
17:33:58 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x0)

17:33:58 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}, {r1, 0x7c5bbb9ab24de92b}], 0x3, 0x100000001)

[  430.776647][T12725] binder_alloc: binder_alloc_mmap_handler: 12722 20001000-20004000 already mapped failed -16
[  430.815022][T12723] binder: BINDER_SET_CONTEXT_MGR already set
[  430.826856][T12723] binder: 12722:12723 ioctl 40046207 0 returned -16
17:33:58 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}, {r1, 0x1}], 0x2, 0x100000001)

[  430.900301][   T12] binder: release 12722:12723 transaction 912 out, still active
[  430.908032][   T12] binder: unexpected work type, 4, not freed
[  430.916385][T12725] binder_alloc: 12722: binder_alloc_buf, no vma
17:33:58 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:58 executing program 4:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1400)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:58 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7400)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  430.950553][T12725] binder: 12722:12725 transaction failed 29189/-3, size 24-8 line 3147
[  430.978013][   T12] binder: undelivered TRANSACTION_COMPLETE
17:33:58 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}], 0x1, 0x100000001)

17:33:58 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x5000000}], 0x0, 0x0, 0x0})

[  431.003187][   T12] binder: send failed reply for transaction 912, target dead
[  431.040699][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:33:58 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x9400)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  431.145481][T12752] binder: 12751:12752 IncRefs 0 refcount change on invalid ref 83886080 ret -22
17:33:58 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000), 0x0, 0x100000001)

[  431.210270][T12762] binder_alloc: binder_alloc_mmap_handler: 12751 20001000-20004000 already mapped failed -16
[  431.264035][T12752] binder: BINDER_SET_CONTEXT_MGR already set
[  431.300612][T12752] binder: 12751:12752 ioctl 40046207 0 returned -16
17:33:58 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xd000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:58 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000), 0x0, 0x100000001)

[  431.331460][T12832] binder_alloc: 12751: binder_alloc_buf, no vma
[  431.350326][T12762] binder: 12751:12762 IncRefs 0 refcount change on invalid ref 83886080 ret -22
[  431.401170][   T12] binder: release 12751:12752 transaction 917 out, still active
[  431.413641][T12832] binder: 12751:12832 transaction failed 29189/-3, size 24-8 line 3147
[  431.428610][   T12] binder: unexpected work type, 4, not freed
17:33:58 executing program 4:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1400)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:58 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x9400)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  431.472477][   T12] binder: undelivered TRANSACTION_COMPLETE
[  431.489196][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:33:58 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x6000000}], 0x0, 0x0, 0x0})

17:33:58 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000), 0x0, 0x100000001)

[  431.519283][   T12] binder: send failed reply for transaction 917, target dead
17:33:58 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x200000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  431.647708][T12883] binder: 12882:12883 IncRefs 0 refcount change on invalid ref 100663296 ret -22
[  431.703061][T12946] binder_alloc: binder_alloc_mmap_handler: 12882 20001000-20004000 already mapped failed -16
[  431.755102][T12883] binder: BINDER_SET_CONTEXT_MGR already set
[  431.784788][T12883] binder: 12882:12883 ioctl 40046207 0 returned -16
17:33:59 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x14000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  431.813554][T13033] binder_alloc: 12882: binder_alloc_buf, no vma
17:33:59 executing program 4:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1400)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:59 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{0xffffffffffffffff, 0x8}], 0x1, 0x100000001)

[  431.870701][T13033] binder: 12882:13033 transaction failed 29189/-3, size 24-8 line 3147
[  431.879323][   T12] binder: send failed reply for transaction 922 to 12882:12883
[  431.902561][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:33:59 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x20000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:59 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x7000000}], 0x0, 0x0, 0x0})

[  431.943516][   T12] binder: undelivered TRANSACTION_COMPLETE
[  431.964180][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  432.039836][    C0] net_ratelimit: 18 callbacks suppressed
[  432.039844][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  432.051338][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:33:59 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x20d501)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:33:59 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{0xffffffffffffffff, 0x8}], 0x1, 0x100000001)

[  432.098434][T13111] binder: 13106:13111 IncRefs 0 refcount change on invalid ref 117440512 ret -22
[  432.160009][T13140] binder_alloc: binder_alloc_mmap_handler: 13106 20001000-20004000 already mapped failed -16
[  432.198982][T13111] binder: BINDER_SET_CONTEXT_MGR already set
17:33:59 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{0xffffffffffffffff, 0x8}], 0x1, 0x100000001)

[  432.232374][T13111] binder: 13106:13111 ioctl 40046207 0 returned -16
17:33:59 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x19000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  432.292600][   T12] binder: send failed reply for transaction 927 to 13106:13111
[  432.330454][   T12] binder: undelivered TRANSACTION_COMPLETE
[  432.336386][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:33:59 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0xa000000}], 0x0, 0x0, 0x0})

17:33:59 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:33:59 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x200000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  432.419396][T13231] binder_alloc: binder_alloc_mmap_handler: 13228 20001000-20004000 already mapped failed -16
17:33:59 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  432.462890][T13230] binder: BINDER_SET_CONTEXT_MGR already set
[  432.497432][T13230] binder: 13228:13230 ioctl 40046207 0 returned -16
[  432.528692][   T12] binder: release 13228:13230 transaction 931 out, still active
[  432.536890][T13231] binder_alloc: 13228: binder_alloc_buf, no vma
[  432.554518][   T12] binder: unexpected work type, 4, not freed
17:33:59 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  432.578967][T13231] binder: 13228:13231 transaction failed 29189/-3, size 24-8 line 3147
[  432.602763][   T12] binder: undelivered TRANSACTION_COMPLETE
17:33:59 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x0)

[  432.628934][   T12] binder: send failed reply for transaction 931, target dead
17:33:59 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x307100)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:00 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:00 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x20000000}], 0x0, 0x0, 0x0})

17:34:00 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x0)

17:34:00 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$RTC_AIE_OFF(0xffffffffffffffff, 0x80247009)

[  432.839821][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  432.839843][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  432.846066][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  432.852032][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:00 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1a000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  432.906485][T13264] binder_alloc: binder_alloc_mmap_handler: 13259 20001000-20004000 already mapped failed -16
17:34:00 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x307100)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  432.957602][T13262] binder: BINDER_SET_CONTEXT_MGR already set
17:34:00 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x0)

17:34:00 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$RTC_AIE_OFF(0xffffffffffffffff, 0x80247009)

[  432.998433][T13262] binder: 13259:13262 ioctl 40046207 0 returned -16
[  433.034764][T13271] binder_alloc: 13259: binder_alloc_buf, no vma
[  433.054397][   T12] binder: release 13259:13262 transaction 936 out, still active
[  433.064702][T13271] binder: 13259:13271 transaction failed 29189/-3, size 24-8 line 3147
[  433.074384][   T12] binder: unexpected work type, 4, not freed
[  433.080535][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  433.080594][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  433.097929][   T12] binder: send failed reply for transaction 936, target dead
17:34:00 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x3f000000}], 0x0, 0x0, 0x0})

17:34:00 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$RTC_AIE_OFF(0xffffffffffffffff, 0x80247009)

17:34:00 executing program 1 (fault-call:3 fault-nth:0):
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:00 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x400000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:00 executing program 4:
socket$inet_udplite(0x2, 0x2, 0x88)
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

[  433.303798][T13294] binder_alloc: binder_alloc_mmap_handler: 13289 20001000-20004000 already mapped failed -16
17:34:00 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:00 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1d000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  433.368283][T13293] binder: BINDER_SET_CONTEXT_MGR already set
[  433.404559][T13293] binder: 13289:13293 ioctl 40046207 0 returned -16
[  433.444371][T13300] binder_alloc: 13289: binder_alloc_buf, no vma
[  433.472946][   T12] binder: release 13289:13293 transaction 941 out, still active
[  433.479817][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  433.481762][T13300] binder: 13289:13300 transaction failed 29189/-3, size 24-8 line 3147
17:34:00 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x400000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:00 executing program 4:
socket$inet_udplite(0x2, 0x2, 0x88)
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

[  433.486460][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  433.500720][   T12] binder: unexpected work type, 4, not freed
17:34:00 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}], 0x1, 0x100000001)

[  433.535845][   T12] binder: send failed reply for transaction 941, target dead
17:34:00 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x48000000}], 0x0, 0x0, 0x0})

17:34:00 executing program 4:
socket$inet_udplite(0x2, 0x2, 0x88)
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

[  433.722420][T13355] binder_alloc: binder_alloc_mmap_handler: 13329 20001000-20004000 already mapped failed -16
17:34:01 executing program 4:
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

17:34:01 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x3f000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  433.763750][T13346] binder: BINDER_SET_CONTEXT_MGR already set
[  433.780635][T13346] binder: 13329:13346 ioctl 40046207 0 returned -16
[  433.797497][T13355] binder_alloc: 13329: binder_alloc_buf, no vma
[  433.839846][   T12] binder: release 13329:13346 transaction 946 out, still active
[  433.847591][   T12] binder: unexpected work type, 4, not freed
[  433.854431][T13355] binder: 13329:13355 transaction failed 29189/-3, size 24-8 line 3147
17:34:01 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x40d701)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:01 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x64}], 0x1, 0x100000001)

[  433.881539][   T12] binder_release_work: 2 callbacks suppressed
[  433.881544][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:01 executing program 4:
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

17:34:01 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x4c000000}], 0x0, 0x0, 0x0})

[  433.958924][   T12] binder: send failed reply for transaction 946, target dead
[  434.041639][T13453] binder_thread_write: 6 callbacks suppressed
[  434.042926][T13453] binder: 13451:13453 IncRefs 0 refcount change on invalid ref 1275068416 ret -22
17:34:01 executing program 4:
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

[  434.084111][T13453] binder: BINDER_SET_CONTEXT_MGR already set
[  434.092010][T13478] binder_alloc: 13451: binder_alloc_buf, no vma
[  434.098483][T13453] binder: 13451:13453 ioctl 40046207 0 returned -16
[  434.106423][T13478] binder: 13451:13478 transaction failed 29189/-3, size 24-8 line 3147
[  434.115581][   T12] binder: release 13451:13453 transaction 951 out, still active
17:34:01 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x50b000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  434.140065][   T12] binder: unexpected work type, 4, not freed
[  434.171085][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:01 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x60000000}], 0x0, 0x0, 0x0})

17:34:01 executing program 4:
socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

[  434.196860][   T12] binder: send failed reply for transaction 951, target dead
17:34:01 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x1b1}], 0x1, 0x100000001)

17:34:01 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x40000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  434.289688][T13562] binder: 13559:13562 IncRefs 0 refcount change on invalid ref 1610612736 ret -22
[  434.367966][T13562] binder: BINDER_SET_CONTEXT_MGR already set
[  434.398124][T13562] binder: 13559:13562 ioctl 40046207 0 returned -16
17:34:01 executing program 4:
socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

[  434.417423][   T12] binder_release_work: 5 callbacks suppressed
[  434.417431][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:01 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x68000000}], 0x0, 0x0, 0x0})

[  434.465820][   T12] binder: send failed reply for transaction 956 to 13559:13562
[  434.520125][   T12] binder: undelivered TRANSACTION_COMPLETE
[  434.526023][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  434.571283][T13681] binder: 13679:13681 IncRefs 0 refcount change on invalid ref 1744830464 ret -22
17:34:01 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x50b000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:01 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x3f00}], 0x1, 0x100000001)

17:34:01 executing program 4:
socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

[  434.613316][T13681] binder: BINDER_SET_CONTEXT_MGR already set
[  434.648676][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:01 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x601a01)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  434.657764][T13681] binder: 13679:13681 ioctl 40046207 0 returned -16
[  434.684722][   T12] binder: send failed reply for transaction 961 to 13679:13681
17:34:02 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:02 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x6c000000}], 0x0, 0x0, 0x0})

[  434.728497][   T12] binder: undelivered TRANSACTION_COMPLETE
[  434.760853][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:02 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x40000001)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:02 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:02 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x6400}], 0x1, 0x100000001)

[  434.887630][T13801] binder: 13799:13801 IncRefs 0 refcount change on invalid ref 1811939328 ret -22
[  434.938112][T13809] binder_alloc_mmap_handler: 3 callbacks suppressed
[  434.938130][T13809] binder_alloc: binder_alloc_mmap_handler: 13799 20001000-20004000 already mapped failed -16
17:34:02 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  435.021555][T13801] binder: BINDER_SET_CONTEXT_MGR already set
17:34:02 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x70a000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  435.061829][T13801] binder: 13799:13801 ioctl 40046207 0 returned -16
17:34:02 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  435.112392][T13879] binder_alloc_new_buf_locked: 2 callbacks suppressed
[  435.112402][T13879] binder_alloc: 13799: binder_alloc_buf, no vma
[  435.179441][T13801] binder: 13799:13801 IncRefs 0 refcount change on invalid ref 1811939328 ret -22
[  435.212875][   T12] binder: release 13799:13801 transaction 966 out, still active
[  435.222960][T13879] binder_transaction: 2 callbacks suppressed
17:34:02 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0xb101}], 0x1, 0x100000001)

17:34:02 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x70a000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  435.222984][T13879] binder: 13799:13879 transaction failed 29189/-3, size 24-8 line 3147
[  435.268347][   T12] binder: unexpected work type, 4, not freed
17:34:02 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  435.284398][   T12] binder: undelivered TRANSACTION_COMPLETE
[  435.308262][   T12] binder: send failed reply for transaction 966, target dead
[  435.350618][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:02 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x74000000}], 0x0, 0x0, 0x0})

17:34:02 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x50000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:02 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:02 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8000000}], 0x1, 0x100000001)

[  435.476683][T14040] binder: 14038:14040 IncRefs 0 refcount change on invalid ref 1946157056 ret -22
17:34:02 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x713000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:02 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  435.564079][T14051] binder_alloc: binder_alloc_mmap_handler: 14038 20001000-20004000 already mapped failed -16
[  435.624434][T14040] binder: BINDER_SET_CONTEXT_MGR already set
[  435.652599][T14040] binder: 14038:14040 ioctl 40046207 0 returned -16
17:34:03 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  435.700300][   T12] binder: release 14038:14040 transaction 971 out, still active
[  435.719986][   T12] binder: unexpected work type, 4, not freed
[  435.726051][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:03 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x3f000000}], 0x1, 0x100000001)

17:34:03 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x7a000000}], 0x0, 0x0, 0x0})

[  435.764787][   T12] binder: send failed reply for transaction 971, target dead
17:34:03 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x713000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  435.854005][T14169] binder: 14167:14169 IncRefs 0 refcount change on invalid ref 2046820352 ret -22
17:34:03 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000007)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:03 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  435.926332][T14215] binder_alloc: binder_alloc_mmap_handler: 14167 20001000-20004000 already mapped failed -16
[  435.956380][T14169] binder: BINDER_SET_CONTEXT_MGR already set
[  435.975154][T14169] binder: 14167:14169 ioctl 40046207 0 returned -16
17:34:03 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x64000000}], 0x1, 0x100000001)

17:34:03 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  436.039963][   T12] binder: release 14167:14169 transaction 975 out, still active
[  436.047703][   T12] binder: unexpected work type, 4, not freed
[  436.054474][T14215] binder_alloc: 14167: binder_alloc_buf, no vma
[  436.064048][T14215] binder: 14167:14215 transaction failed 29189/-3, size 24-8 line 3147
17:34:03 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x740000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  436.086529][   T12] binder: undelivered TRANSACTION_COMPLETE
[  436.105503][   T12] binder: send failed reply for transaction 975, target dead
[  436.166644][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:03 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0xfdfdffff}], 0x0, 0x0, 0x0})

17:34:03 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:03 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0xb1010000}], 0x1, 0x100000001)

17:34:03 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000008)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:03 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x740000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  436.332468][T14399] binder: 14389:14399 IncRefs 0 refcount change on invalid ref -33685505 ret -22
[  436.366869][T14402] binder_alloc: binder_alloc_mmap_handler: 14389 20001000-20004000 already mapped failed -16
17:34:03 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  436.435324][T14399] binder: BINDER_SET_CONTEXT_MGR already set
17:34:03 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80ffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:03 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  436.483621][T14399] binder: 14389:14399 ioctl 40046207 0 returned -16
[  436.521117][T14421] binder_alloc: 14389: binder_alloc_buf, no vma
[  436.560720][T14402] binder: 14389:14402 IncRefs 0 refcount change on invalid ref -33685505 ret -22
[  436.636299][   T12] binder: release 14389:14399 transaction 980 out, still active
[  436.655114][T14421] binder: 14389:14421 transaction failed 29189/-3, size 24-8 line 3147
[  436.668677][   T12] binder: unexpected work type, 4, not freed
17:34:04 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0xfcffffff}], 0x1, 0x100000001)

17:34:04 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  436.691232][   T12] binder: undelivered TRANSACTION_COMPLETE
[  436.713037][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:04 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0xfffffdfd}], 0x0, 0x0, 0x0})

17:34:04 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000019)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  436.760598][   T12] binder: send failed reply for transaction 980, target dead
17:34:04 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  436.833857][T14552] binder: 14539:14552 IncRefs 0 refcount change on invalid ref -515 ret -22
17:34:04 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x940000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  436.884338][T14592] binder_alloc: binder_alloc_mmap_handler: 14539 20001000-20004000 already mapped failed -16
17:34:04 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  436.956148][T14552] binder: BINDER_SET_CONTEXT_MGR already set
[  436.985042][T14552] binder: 14539:14552 ioctl 40046207 0 returned -16
17:34:04 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x801c01)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  437.027669][T14650] binder_alloc: 14539: binder_alloc_buf, no vma
17:34:04 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0xfffffffc}], 0x1, 0x100000001)

[  437.081907][T14650] binder: 14539:14650 transaction failed 29189/-3, size 24-8 line 3147
[  437.103576][   T12] binder: send failed reply for transaction 985 to 14539:14552
17:34:04 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:04 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x100000000000000}], 0x0, 0x0, 0x0})

[  437.135695][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  437.170165][   T12] binder: undelivered TRANSACTION_COMPLETE
[  437.200229][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  437.239821][    C1] net_ratelimit: 20 callbacks suppressed
17:34:04 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000001a)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:04 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b0")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  437.239830][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  437.251385][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  437.261506][T14703] binder_alloc: binder_alloc_mmap_handler: 14663 20001000-20004000 already mapped failed -16
17:34:04 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa07000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  437.344257][T14699] binder: BINDER_SET_CONTEXT_MGR already set
[  437.384457][T14699] binder: 14663:14699 ioctl 40046207 0 returned -16
17:34:04 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x800000000000000}], 0x1, 0x100000001)

[  437.435228][   T12] binder: send failed reply for transaction 990 to 14663:14699
17:34:04 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:04 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x200000000000000}], 0x0, 0x0, 0x0})

[  437.488870][   T12] binder: undelivered TRANSACTION_COMPLETE
[  437.530976][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:04 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80ffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  437.612919][T14881] binder_alloc: binder_alloc_mmap_handler: 14846 20001000-20004000 already mapped failed -16
[  437.639838][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  437.640801][T14848] binder: BINDER_SET_CONTEXT_MGR already set
[  437.645692][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:04 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000001d)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:05 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  437.655720][T14881] binder_alloc: 14846: binder_alloc_buf, no vma
[  437.667656][T14848] binder: 14846:14848 ioctl 40046207 0 returned -16
17:34:05 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x3f00000000000000}], 0x1, 0x100000001)

[  437.720357][   T12] binder: release 14846:14848 transaction 995 out, still active
[  437.729288][T14881] binder: 14846:14881 transaction failed 29189/-3, size 24-8 line 3147
[  437.763931][   T12] binder: unexpected work type, 4, not freed
[  437.790226][   T12] binder: send failed reply for transaction 995, target dead
[  437.799883][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  437.805783][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:05 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x300000000000000}], 0x0, 0x0, 0x0})

17:34:05 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:05 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(0xffffffffffffffff, 0x80247009)

17:34:05 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb05000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  437.982517][T15013] binder_alloc: binder_alloc_mmap_handler: 14994 20001000-20004000 already mapped failed -16
17:34:05 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x6400000000000000}], 0x1, 0x100000001)

[  438.056800][T15006] binder: BINDER_SET_CONTEXT_MGR already set
17:34:05 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xc0000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  438.101288][T15006] binder: 14994:15006 ioctl 40046207 0 returned -16
[  438.135996][T15025] binder_alloc: 14994: binder_alloc_buf, no vma
17:34:05 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x940000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:05 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(0xffffffffffffffff, 0x80247009)

[  438.167761][   T12] binder: release 14994:15006 transaction 1001 out, still active
[  438.184572][T15025] binder: 14994:15025 transaction failed 29189/-3, size 24-8 line 3147
[  438.202323][   T12] binder: unexpected work type, 4, not freed
[  438.237147][   T12] binder: send failed reply for transaction 1001, target dead
17:34:05 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x400000000000000}], 0x0, 0x0, 0x0})

[  438.279922][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  438.285854][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:05 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0xb101000000000000}], 0x1, 0x100000001)

17:34:05 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(0xffffffffffffffff, 0x80247009)

[  438.415346][T15144] binder_alloc: binder_alloc_mmap_handler: 15138 20001000-20004000 already mapped failed -16
[  438.469822][T15140] binder: BINDER_SET_CONTEXT_MGR already set
[  438.494238][T15140] binder: 15138:15140 ioctl 40046207 0 returned -16
17:34:05 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xc0000001)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  438.518032][T15164] binder_alloc: 15138: binder_alloc_buf, no vma
17:34:05 executing program 4 (fault-call:3 fault-nth:0):
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  438.553626][   T12] binder: send failed reply for transaction 1008 to 15138:15140
[  438.572511][T15164] binder: 15138:15164 transaction failed 29189/-3, size 24-8 line 3147
17:34:05 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:05 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x500000000000000}], 0x0, 0x0, 0x0})

17:34:05 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:05 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0xfcffffff00000000}], 0x1, 0x100000001)

17:34:06 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa07000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  438.783744][T15271] binder_alloc: binder_alloc_mmap_handler: 15266 20001000-20004000 already mapped failed -16
17:34:06 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x2)

[  438.832940][T15267] binder: BINDER_SET_CONTEXT_MGR already set
[  438.860164][T15267] binder: 15266:15267 ioctl 40046207 0 returned -16
[  438.892770][T15341] binder_alloc: 15266: binder_alloc_buf, no vma
17:34:06 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xf6ffffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:06 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x8}], 0x1, 0x100000001)

[  438.936321][   T12] binder: release 15266:15271 transaction 1014 out, still active
[  438.951170][T15341] binder: 15266:15341 transaction failed 29189/-3, size 24-8 line 3147
[  438.963904][   T12] binder: unexpected work type, 4, not freed
[  438.996848][   T12] binder_release_work: 3 callbacks suppressed
[  438.996853][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:06 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x600000000000000}], 0x0, 0x0, 0x0})

17:34:06 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x5421)

[  439.045109][   T12] binder: send failed reply for transaction 1014, target dead
[  439.079806][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  439.079840][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:06 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1000040)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:06 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb05000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  439.187113][T15548] binder: BINDER_SET_CONTEXT_MGR already set
[  439.241738][   T12] binder: release 15539:15548 transaction 1021 out, still active
[  439.249550][   T12] binder: unexpected work type, 4, not freed
[  439.260167][T15548] binder: 15539:15548 ioctl 40046207 0 returned -16
17:34:06 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x64}], 0x1, 0x100000001)

17:34:06 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x700000000000000}], 0x0, 0x0, 0x0})

[  439.281953][   T12] binder: undelivered TRANSACTION_COMPLETE
[  439.310887][   T12] binder: send failed reply for transaction 1021, target dead
17:34:06 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x5450)

17:34:06 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfcfdffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  439.452541][T15725] binder: BINDER_SET_CONTEXT_MGR already set
[  439.492138][T15742] binder_alloc: 15718: binder_alloc_buf, no vma
17:34:06 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  439.544489][   T12] binder: release 15718:15725 transaction 1026 out, still active
[  439.553526][T15725] binder: 15718:15725 ioctl 40046207 0 returned -16
[  439.563900][   T12] binder: unexpected work type, 4, not freed
[  439.584907][T15742] binder: 15718:15742 transaction failed 29189/-3, size 24-8 line 3147
17:34:06 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x1b1}], 0x1, 0x100000001)

[  439.608289][   T12] binder: undelivered TRANSACTION_COMPLETE
[  439.632356][   T12] binder: send failed reply for transaction 1026, target dead
17:34:07 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x5451)

17:34:07 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0xa00000000000000}], 0x0, 0x0, 0x0})

[  439.686643][   T12] binder_release_work: 5 callbacks suppressed
[  439.686650][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:07 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  439.832807][T16048] binder: BINDER_SET_CONTEXT_MGR already set
17:34:07 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x3f00}], 0x1, 0x100000001)

17:34:07 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  439.887064][   T12] binder: release 16017:16048 transaction 1032 out, still active
[  439.900870][T16048] binder: 16017:16048 ioctl 40046207 0 returned -16
[  439.915914][   T12] binder: unexpected work type, 4, not freed
17:34:07 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x5452)

17:34:07 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x2000000000000000}], 0x0, 0x0, 0x0})

[  439.946258][   T12] binder: undelivered TRANSACTION_COMPLETE
[  439.986428][   T12] binder: send failed reply for transaction 1032, target dead
17:34:07 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x10000c0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  440.137221][T16287] binder_alloc_mmap_handler: 3 callbacks suppressed
[  440.137240][T16287] binder_alloc: binder_alloc_mmap_handler: 16236 20001000-20004000 already mapped failed -16
17:34:07 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xff600000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:07 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x6400}], 0x1, 0x100000001)

[  440.207678][T16260] binder: BINDER_SET_CONTEXT_MGR already set
[  440.225758][T16260] binder: 16236:16260 ioctl 40046207 0 returned -16
17:34:07 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x5460)

[  440.258407][T16365] binder_alloc: 16236: binder_alloc_buf, no vma
[  440.313083][   T12] binder: release 16236:16260 transaction 1037 out, still active
[  440.322636][T16365] binder: 16236:16365 transaction failed 29189/-3, size 24-8 line 3147
[  440.340744][   T12] binder: unexpected work type, 4, not freed
[  440.353591][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:07 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x3f00000000000000}], 0x0, 0x0, 0x0})

[  440.373798][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  440.394102][   T12] binder: send failed reply for transaction 1037, target dead
17:34:07 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1000040)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  440.467495][T16529] binder_alloc: binder_alloc_mmap_handler: 16484 20001000-20004000 already mapped failed -16
17:34:07 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1d52000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:07 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x7001)

17:34:07 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0xb101}], 0x1, 0x100000001)

[  440.545356][T16513] binder: BINDER_SET_CONTEXT_MGR already set
[  440.577712][T16513] binder: 16484:16513 ioctl 40046207 0 returned -16
17:34:07 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffff8000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:08 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x4800000000000000}], 0x0, 0x0, 0x0})

[  440.686396][   T12] binder: send failed reply for transaction 1044 to 16484:16513
[  440.725330][   T12] binder: undelivered TRANSACTION_COMPLETE
[  440.750770][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:08 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x7002)

[  440.802050][T16780] binder_alloc: binder_alloc_mmap_handler: 16737 20001000-20004000 already mapped failed -16
17:34:08 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x8000000}], 0x1, 0x100000001)

17:34:08 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1d74000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  440.885698][T16764] binder: BINDER_SET_CONTEXT_MGR already set
[  440.908278][T16764] binder: 16737:16764 ioctl 40046207 0 returned -16
[  440.925628][T16845] binder_alloc: 16737: binder_alloc_buf, no vma
[  440.959362][T16845] binder: 16737:16845 transaction failed 29189/-3, size 24-8 line 3147
[  440.977920][   T12] binder: release 16737:16764 transaction 1049 out, still active
[  440.992329][   T12] binder: unexpected work type, 4, not freed
17:34:08 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x4c00000000000000}], 0x0, 0x0, 0x0})

17:34:08 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x7003)

[  441.036680][   T12] binder: undelivered TRANSACTION_COMPLETE
[  441.064112][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:08 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x3f000000}], 0x1, 0x100000001)

[  441.098134][   T12] binder: send failed reply for transaction 1049, target dead
[  441.166722][T17025] binder_alloc: binder_alloc_mmap_handler: 17020 20001000-20004000 already mapped failed -16
17:34:08 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:08 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffdfc)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  441.242126][T17022] binder: BINDER_SET_CONTEXT_MGR already set
17:34:08 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x2000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  441.287204][T17022] binder: 17020:17022 ioctl 40046207 0 returned -16
[  441.320182][T17162] binder_alloc: 17020: binder_alloc_buf, no vma
17:34:08 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x7004)

[  441.360260][   T12] binder: release 17020:17022 transaction 1056 out, still active
[  441.368052][   T12] binder: unexpected work type, 4, not freed
[  441.383248][T17162] binder: 17020:17162 transaction failed 29189/-3, size 24-8 line 3147
17:34:08 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x64000000}], 0x1, 0x100000001)

[  441.421575][   T12] binder: undelivered TRANSACTION_COMPLETE
[  441.441141][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:08 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x6000000000000000}], 0x0, 0x0, 0x0})

[  441.486301][   T12] binder: send failed reply for transaction 1056, target dead
17:34:08 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x7005)

[  441.585408][T17429] binder_alloc: binder_alloc_mmap_handler: 17394 20001000-20004000 already mapped failed -16
[  441.623365][T17416] binder: BINDER_SET_CONTEXT_MGR already set
17:34:08 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0xb1010000}], 0x1, 0x100000001)

[  441.653789][T17416] binder: 17394:17416 ioctl 40046207 0 returned -16
[  441.692011][T17429] binder_alloc: 17394: binder_alloc_buf, no vma
17:34:09 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffdfd)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:09 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x10000c0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  441.710841][   T12] binder: send failed reply for transaction 1063 to 17394:17416
[  441.726777][T17429] binder: 17394:17429 transaction failed 29189/-3, size 24-8 line 3147
[  441.763094][   T12] binder: undelivered TRANSACTION_COMPLETE
[  441.788411][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:09 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x7006)

17:34:09 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x6800000000000000}], 0x0, 0x0, 0x0})

[  441.819407][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:09 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0xfcffffff}], 0x1, 0x100000001)

17:34:09 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x3000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  441.949391][T17611] binder_alloc: binder_alloc_mmap_handler: 17573 20001000-20004000 already mapped failed -16
[  442.032249][T17579] binder: BINDER_SET_CONTEXT_MGR already set
[  442.053253][T17579] binder: 17573:17579 ioctl 40046207 0 returned -16
17:34:09 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x40049409)

[  442.083573][T17729] binder_alloc: 17573: binder_alloc_buf, no vma
17:34:09 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffff6)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:09 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x11a6000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  442.124289][T17729] binder: 17573:17729 transaction failed 29189/-3, size 24-8 line 3147
17:34:09 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0xfffffffc}], 0x1, 0x100000001)

[  442.183343][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  442.216682][   T12] binder: send failed reply for transaction 1069 to 17573:17579
17:34:09 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x6c00000000000000}], 0x0, 0x0, 0x0})

[  442.279924][   T12] binder: undelivered TRANSACTION_COMPLETE
[  442.296803][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:09 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:09 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x4008700c)

[  442.342076][T17904] binder_alloc: binder_alloc_mmap_handler: 17898 20001000-20004000 already mapped failed -16
[  442.408513][T17902] binder: BINDER_SET_CONTEXT_MGR already set
[  442.449812][    C0] net_ratelimit: 17 callbacks suppressed
[  442.449820][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  442.461366][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  442.477594][T17902] binder: 17898:17902 ioctl 40046207 0 returned -16
[  442.491519][T18016] binder_alloc: 17898: binder_alloc_buf, no vma
[  442.498471][T18016] binder: 17898:18016 transaction failed 29189/-3, size 24-8 line 3147
[  442.531177][   T12] binder: release 17898:17902 transaction 1075 out, still active
17:34:09 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:09 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x4008700e)

17:34:09 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x800000000000000}], 0x1, 0x100000001)

[  442.550586][   T12] binder: unexpected work type, 4, not freed
[  442.580788][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:09 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x7400000000000000}], 0x0, 0x0, 0x0})

17:34:09 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x11c8000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  442.632813][   T12] binder: send failed reply for transaction 1075, target dead
[  442.736917][T18186] binder_alloc: binder_alloc_mmap_handler: 18138 20001000-20004000 already mapped failed -16
[  442.786047][T18139] binder: BINDER_SET_CONTEXT_MGR already set
[  442.813817][T18139] binder: 18138:18139 ioctl 40046207 0 returned -16
17:34:10 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x3f00000000000000}], 0x1, 0x100000001)

[  442.857813][T18314] binder_alloc: 18138: binder_alloc_buf, no vma
17:34:10 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x4020940d)

[  442.900674][T18314] binder: 18138:18314 transaction failed 29189/-3, size 24-8 line 3147
[  442.914006][   T12] binder: send failed reply for transaction 1082 to 18138:18139
17:34:10 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x7a00000000000000}], 0x0, 0x0, 0x0})

17:34:10 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:10 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x5000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:10 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x2000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  443.083491][T18429] binder_alloc: binder_alloc_mmap_handler: 18410 20001000-20004000 already mapped failed -16
[  443.112293][T18419] binder: BINDER_SET_CONTEXT_MGR already set
17:34:10 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0x6400000000000000}], 0x1, 0x100000001)

[  443.140564][T18419] binder: 18410:18419 ioctl 40046207 0 returned -16
[  443.160912][   T12] binder: release 18410:18419 transaction 1088 out, still active
[  443.170898][T18429] binder_alloc: 18410: binder_alloc_buf, no vma
[  443.189800][   T12] binder: unexpected work type, 4, not freed
[  443.196021][   T12] binder: send failed reply for transaction 1088, target dead
[  443.219713][T18429] binder: 18410:18429 transaction failed 29189/-3, size 24-8 line 3147
17:34:10 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x40247007)

17:34:10 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0xfdfdffff00000000}], 0x0, 0x0, 0x0})

[  443.239820][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  443.239855][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  443.247659][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:10 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xc000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  443.416855][T18613] binder_alloc: binder_alloc_mmap_handler: 18569 20001000-20004000 already mapped failed -16
[  443.462605][T18576] binder: BINDER_SET_CONTEXT_MGR already set
[  443.479882][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  443.485743][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  443.487802][T18576] binder: 18569:18576 ioctl 40046207 0 returned -16
[  443.508521][T18755] binder_alloc: 18569: binder_alloc_buf, no vma
17:34:10 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0xb101000000000000}], 0x1, 0x100000001)

17:34:10 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x4024700a)

[  443.537576][T18755] binder: 18569:18755 transaction failed 29189/-3, size 24-8 line 3147
[  443.565352][   T12] binder: release 18569:18576 transaction 1094 out, still active
17:34:10 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x2, 0x0, 0x0})

[  443.606181][   T12] binder: unexpected work type, 4, not freed
[  443.641707][   T12] binder: send failed reply for transaction 1094, target dead
17:34:11 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x3000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  443.728353][T18880] binder: 18854:18880 ioctl c0306201 200001c0 returned -14
17:34:11 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x400000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:11 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x6000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  443.771424][T18880] binder: BINDER_SET_CONTEXT_MGR already set
17:34:11 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x0, 0xfcffffff00000000}], 0x1, 0x100000001)

17:34:11 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x4028700f)

[  443.846539][T18880] binder: 18854:18880 ioctl 40046207 0 returned -16
[  443.854030][   T12] binder: send failed reply for transaction 1101 to 18854:18880
[  443.879848][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  443.885737][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:11 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x3, 0x0, 0x0})

17:34:11 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x8008700b)

[  444.039804][    C0] protocol 88fb is buggy, dev hsr_slave_0
17:34:11 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x2, 0x100000001)

[  444.099089][T19209] binder: 19204:19209 ioctl c0306201 200001c0 returned -14
17:34:11 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  444.163749][T19209] binder: BINDER_SET_CONTEXT_MGR already set
17:34:11 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x52ef597f0000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  444.208720][T19213] binder_alloc: 19204: binder_alloc_buf, no vma
[  444.226775][   T12] binder: release 19204:19209 transaction 1106 out, still active
[  444.247681][T19209] binder: 19204:19209 ioctl 40046207 0 returned -16
[  444.255701][   T12] binder: unexpected work type, 4, not freed
[  444.262411][T19213] binder: 19204:19213 transaction failed 29189/-3, size 24-8 line 3147
[  444.271249][   T12] binder_release_work: 5 callbacks suppressed
[  444.271254][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:11 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x4, 0x0, 0x0})

[  444.323163][   T12] binder: send failed reply for transaction 1106, target dead
17:34:11 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247008)

17:34:11 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:11 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0xf, 0x100000001)

[  444.438131][T19429] binder: 19427:19429 ioctl c0306201 200001c0 returned -14
[  444.492660][T19429] binder: BINDER_SET_CONTEXT_MGR already set
[  444.526285][   T12] binder: release 19427:19429 transaction 1112 out, still active
[  444.542334][T19429] binder: 19427:19429 ioctl 40046207 0 returned -16
[  444.549266][   T12] binder: unexpected work type, 4, not freed
17:34:11 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x5, 0x0, 0x0})

17:34:11 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x5000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  444.583445][   T12] binder: undelivered TRANSACTION_COMPLETE
[  444.609052][   T12] binder: send failed reply for transaction 1112, target dead
17:34:12 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80287010)

[  444.708053][T19646] binder: 19634:19646 ioctl c0306201 200001c0 returned -14
17:34:12 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x60ffffffffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:12 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000002)

[  444.748577][T19646] binder: BINDER_SET_CONTEXT_MGR already set
[  444.805240][T19646] binder: 19634:19646 ioctl 40046207 0 returned -16
[  444.840861][   T12] binder: send failed reply for transaction 1118 to 19634:19646
17:34:12 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  444.865482][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:12 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x6, 0x0, 0x0})

[  444.906847][   T12] binder_release_work: 7 callbacks suppressed
[  444.906854][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:12 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0xc0045878)

[  445.011253][T19866] binder: 19855:19866 ioctl c0306201 200001c0 returned -14
17:34:12 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x10000000f)

[  445.065530][T19866] binder: BINDER_SET_CONTEXT_MGR already set
[  445.101044][T19866] binder: 19855:19866 ioctl 40046207 0 returned -16
[  445.108325][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:12 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x6000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  445.135655][   T12] binder: send failed reply for transaction 1123 to 19855:19866
[  445.171435][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:12 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x7, 0x0, 0x0})

[  445.195784][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:12 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x740000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:12 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  445.293725][T20025] binder: 20008:20025 ioctl c0306201 200001c0 returned -14
17:34:12 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0xc0045878)

[  445.349292][T20084] binder_alloc_mmap_handler: 5 callbacks suppressed
[  445.349309][T20084] binder_alloc: binder_alloc_mmap_handler: 20008 20001000-20004000 already mapped failed -16
17:34:12 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = fcntl$getown(r0, 0x9)
process_vm_readv(r1, &(0x7f0000002380)=[{&(0x7f0000000080)=""/247, 0xf7}, {&(0x7f0000000180)=""/245, 0xf5}, {&(0x7f0000000280)=""/38, 0x26}, {&(0x7f00000002c0)=""/4096, 0x1000}, {&(0x7f00000012c0)=""/99, 0x63}, {&(0x7f0000001340)=""/4096, 0x1000}, {&(0x7f0000002340)=""/31, 0x1f}], 0x7, &(0x7f00000027c0)=[{&(0x7f0000002400)=""/219, 0xdb}, {&(0x7f0000002500)=""/234, 0xea}, {&(0x7f0000002600)=""/138, 0x8a}, {&(0x7f00000026c0)=""/175, 0xaf}, {&(0x7f0000002780)=""/16, 0x10}], 0x5, 0x0)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r3 = request_key(&(0x7f0000002980)='asymmetric\x00', &(0x7f00000029c0)={'syz', 0x3}, &(0x7f0000002a00)='procppp1selinux+\'\x00', 0xfffffffffffffffc)
keyctl$KEYCTL_PKEY_QUERY(0x18, r3, 0x0, &(0x7f0000002a40)='wlan0\x95lovboxnet0 -\x00', &(0x7f0000002a80))
getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000002840)={{{@in=@empty, @in=@remote}}, {{@in=@multicast2}, 0x0, @in6=@loopback}}, &(0x7f0000002940)=0xe8)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

[  445.424617][T20025] binder: BINDER_SET_CONTEXT_MGR already set
[  445.444305][T20025] binder: 20008:20025 ioctl 40046207 0 returned -16
[  445.469026][T20097] binder_alloc_new_buf_locked: 2 callbacks suppressed
[  445.469034][T20097] binder_alloc: 20008: binder_alloc_buf, no vma
[  445.522607][T20025] binder: 20008:20025 ioctl c0306201 200001c0 returned -14
[  445.537467][   T12] binder: release 20008:20025 transaction 1129 out, still active
[  445.556425][T20097] binder_transaction: 2 callbacks suppressed
[  445.556446][T20097] binder: 20008:20097 transaction failed 29189/-3, size 24-8 line 3147
[  445.562917][   T12] binder: unexpected work type, 4, not freed
17:34:12 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  445.596687][   T12] binder: undelivered TRANSACTION_COMPLETE
[  445.628801][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:12 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0xa, 0x0, 0x0})

17:34:13 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0xc0189436)

[  445.668467][   T12] binder: send failed reply for transaction 1129, target dead
[  445.726787][T20307] binder: 20306:20307 ioctl c0306201 200001c0 returned -14
17:34:13 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x40, 0x1)
write$P9_RCREATE(r2, &(0x7f00000000c0)={0x18, 0x73, 0x1, {{0x0, 0x1}, 0x2}}, 0x18)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
sendmsg(r2, &(0x7f0000004640)={&(0x7f0000000100)=@in6={0xa, 0x4e21, 0x80000000, @mcast1, 0x400}, 0x80, &(0x7f0000002440)=[{&(0x7f0000000180)="c9f0501740939ee50051ba1461a91aaecec63b5cf4c55e440a12042982a5148256e22a28438422d21d367776a57e58890d0d666c14cea4b7dd0408721b129117e76e92a2080133aead5d3c17e655d1c581f53432543dc41c", 0x58}, {&(0x7f0000000200)="f7b78e7211b3190111184ba605d0c258c379a05d1b3ddcd2ab717f3506003ac60342fd1bf826d9799c7127a2ec4bbd40ef291f828ad5b18db31ca56cd8fb8e0d7b8e6670cc0b256a9f9b80785a5f517622521d0a531065f25181d116c5", 0x5d}, {&(0x7f0000000280)="c7882e296220fad5f63f", 0xa}, {&(0x7f00000002c0)="8672a2b46ad9bafdcc1a2c1ac288ea592815d4319b6b212d55e5d778fa2ec9e5b56b37497993b3895d807db8dab91b9e59b51d187d40cfb2c820471f003d99995f9fee4de0a171a506d6f4fd5fc7a8c8baaed46cc133ad6da4ef8efe00e501863047ead56b18a02b5a7c2fa2d96b087c25b2623f3a2605d333d23b9258ad62ac30f24684f86a7e59eee1db37cb7cd6be75ca75a0274b2b05490e062a444a8c12e3c416d42c77", 0xa6}, {&(0x7f0000000380)="ae1191f4a18fcbd3e6acbc48698c54a9f1d1813e97b4988061852a158694db5945b1f100e903ce81352a697ac84a32fef2c18705c7f9c0f79bdc55cc0bf7a0983ba246cbeaf10f16c80b4bf001941f74247f0abc8b29ac4a2bd37a54779c025f6333ab54d571b00947d3d4dd9a4fe7cec81132cd4748e194fce8dad86c01e78cb33b6ac4c64fb905a5b42dd06cbe4f6125a4b9a97427fd2c6f50378e05c686bc77849e4915c98a930923969371be240219641f87a63889fdc825d4eeb294d610fe40fe88da36a7c6d4fbe6692709cf5759a60fe32ab95858a3afc7e4fffe1ee5b0c43a822f53e011724e3ab2afc248493ef81ccb6961d70f2fded74941f9f9cc856bfaf0a38e9724e8ee997940f9e98a56d655151774ac024b5d523aa1f299620f5de54fe34f929d88d4a03da79d7b49ebe7baf23498b02bbe4d10be4b8dcc27332415c5c9e3ad24559393e43f1cabb9994cbb9272efc1d26f8c85eb4e1dd1fb47d0f089f1922ae7112f15786f70c3dbd8ffa5d3f6c2bd6d4937fcf3602425995c7b2ed83a204370a178764148380c0cf652d6ea3d21ae0a7bc8064bdac0ceb55376268bbf3abf703737d966b868e780916dc42196bb4ffc35bd8d6f4e6f8a3f2f3427a77100609fd1fac0400fdfeabce8773a2d51bfec12fd1e75791db1674fd51181c9ffc8120d75bc2d07b3b1c63e2dd0c5771cc8b27fffbf2edb2355c91e3e3c57e373311c85e49c9f0bf7af9ee85b836bdff129bedf0fbd59b11a6c5465b9f8afc01e94995e658a97784074266b9da2b693b28f7f85e40dcd0bbc008c5c2522b236c8f20d7aa15e745bea51d7da2d5d696051dbc7723b29bf0b77e64859cb2b415c213ec2a87e2bd5ee77a2c7c3cdc80e883e8a128c6d3c449c0c4bc9088dc9008ed6c544f297b2b1c53e9223175ae381f5d1fa17de4df7458138e9d047af3c1ec1dc4c387716c7b908dffa34f3345d32b1b46c84ea43b18c5003bac84ab43dc19a9346c497d00a9a27bf353d535162016ff053945d87acd32c41f76b9df8523c017d0ac591c72beee2386d128cf38fbaf6f1fcf5825ead4b33ce396e3dc3cb19da41a65bbca29653a09a4858e2835dc3fe1bfd2fe5aab88a51a0cebf9d295a0b451699f093daf52781bbe9c4ad0cc9dcda7a76ec3d0e2c6e97765e5ad630d825e5e692a0f1d41ec07dce044acb5541ed1c989f023d5978a8b655e41e5d46284e0ceee900af60d4a2ff0560709f30214158d1ce400d05d06676e11005d721b318f2d7d1279b610d79ec398794b4ef47bb352687f10240a771fd530ab9563c70a84ad97f1f6d71e0dc849ee3a36a946ace91b09d1fa7039bb20725b1f67cc325e72443df5496195929fbc0c696a04a5911b85d50b30dcecdfefb4ce4ce9ace7f3a3b8f33c336d5fded1c654e0462f0cf3d79232b15415ace76c9a207226503191a7a30b06c2dba3714039bb5ba00ab88edaf9691a391793006a10f25888716ab0534fe7c9c01e06bf89a318a8aa71464885d0503acedb1506f4532223899be8e92dba28c8461f93c3422493d9d88a6f65041ae99129fb103f9e4d297238807ad25614eb525e6d9f8849f66f3cc79e1b1084036adc80f6dba86bd6c59c62a98e0e15fec6a2ca5989d49a6ea077ca379d746cb8156570ba92f1935ecc6e4bad6a27d842834029260b5035b4f2be5e7b4a5d0fa26a0f15a9631ec536ae73c6f95d5c7f0cf73459dd3d98a29aaec74c345d2ad26ae566cc1d25ef5364689ce23694be8e77ea1434bc080923c8d6ffc297d4f750c36a712102e1a7f26053596b39e0f9019c65ba32b0814d655c4d6fa57c236cbcfe7b49bafde468717bd63006e3d6d2380f65a28739b1458c5d74d78d9e9181af58793d924adb3983a919d2783f950650568ca957318a032a7b244af2c28788483d7980fe20f446f025bb77a6154c0d092e80a55b53604a4932d2a7aa6e6caab415e7d9ad09e634a246e2590f6d3ecf71eda2640a305953b41a63006d3f374ba5cd5d8a73bd20735bf0545dead7b9ebc2c5d21482c2969ace73a37913afbc4bf16242a715b0b096b583f6d882b0f03b2bfe32650512f3930f1b4db866c90d62d98be10814b6e394f6b3aafc395775dc484f7d5f1cecf4b4a2fbedb3dbe6b25810e6f6fa383f3317ee54647c63899269a4e8b561484f10a9f1e0aa9a02a1d6da041b6e503a7c6ba1bfc07ba53bd7ca95a0eaf3b4ab408084147dd53044bc74f2580d1aa68f7409a0fa4aaa5e746582454a9294bc9af229bcffe8895ff185236ca89307d0bef428f6ad4afd4a9b34642f2b53444c5c91923470ab815b725ea416f67238b9bcfe53ca5b3b8b5b19151ebffaabdfb7f7b3b97fe7baef9cda55a5b4afd218614f2f375da6d64dfc9c562864f5de95a3aa17706297efda3cd84a3ccdf6ac670c1f92f224d7e7f5dbf99e720250dcb49114a538fa8d24b0ce669dc1743e96cac36be0bb5f69c4b7a061f4d72361a02ebb61ae9b7e03a72b7523d6cbd2845db4fe19afde88137f5a2951461e9a9a94271010438f68dcd102c2e7bde6a21c1ef7db1abb5de5d0a06471835ffe55d6fb5fb83d68050e4c6e97b7e98902ad009651bfc1d13fe3f88d1ac776e96af37a32114f52978d3d69d14a7cf6596ce318b513c5cf7c9a1c1d5331e489d27e35090e4d3a9140318e52eaba92c6ce91212d969cff4a40fa03a056eb884f5930dc266c14cff37e33e027c00308e9ba96ce1873d97202c2fd4d18f18d67cc7f5c060b3c8b6fa2d92251d8cb2130cf23de70a27f5f83c49e6e608853677052145735ec8751b25f7fed3b67ba9f904a5649361848b6519b0ae9eb417f8dc02ba56d4361d0fad4f3c5347f69dcd514ef99307ce0cf2aa2688221e77e6805164cedb29e98667237b0b04aad0bc6e87dc91d820ffcdd4b4cc0c0da44ecc3a99573e7e912a05e840cee0e4e6cf11e58db3a80c2d7d1b803747f110d0bc1f76ad11f5f654afc7df56e9cc685e2dfd640e6be39318bea613c598e95af6b91de4dbdf698b311cbde265c04e0169c0cb7ed448660bc7250676e87a70ce1f14ece9fe67a9164420c115b484fdad51e8185973034c45b88d93102a4440d1f3e3ac22e777e7bffe160bd3074642c8ffd2592418efcffebf499131d4a63cbcfcf9cc615cc75235309c3e6bbbc1556c2ef1c19bee9def63b4db825310eb0b34a4876e305a8a5691633d1f800ae15547ac1a6210c5815d16a0d157a4249f42b12eb45b7c9617b080e264b7662c4c9e8e4c9d74894dd5079bbb94b0f6291daa2e52284f1a2e20c4b2fe2eca17e5fe209cb6779ad821023455c17a96b11efeda95db831a8cebac001b42478006365130a9f00b2fd6c8ea7db21e9a8a16c0f1e7b4ea9523a0fa23cccd3dc1011714cad1dfe7c3ca491356bed3adf20c3a9311752c5f73c7129709484b6837da02f9befbc1b3e5fd676797f7d3e64d85dd12d197fbecdab9c5d0e19afb7c5cafa80653bc13a891f753f24c0eb5f18a67472ffe0fe489d406786db516b34e502e65dae8aa55a12ba4758dc8b064470a060e5f5fd1f6a733607920e430fc251b9ccf5248cf4a3621879ebef534c273eb7ab6a0361029183b32398c8d771e7754990e9f513268cebb676e888954978a095ab0a276328597d1d3ec8e6f1a7bfa8309cc1c211b7ee4cdd1491fd484571483b9303095adbe50cd6f77dbdb58088bdf8a44015b51218c78506cdae53f08ea4e392b2dbe734e20d68b803a97c5a79ca502ae91cbf59185a604aa7d8bfcedcc0b96b5e421d8762eb4fd63a151d44ffeb2da4c0873f65cfc715954c6401675c884b71149ebcfcb7dd25caa785d8d4c82ae2cdcc7de3af529ea3fc830b475b3ba226f7540efaeb2cdc675d2335bd83fd2ae6ccd077e0079a55553dac1d3c1ded855c616e04bb7c9698d14a3dd36dff585081fbb925d0c22dfc08cd47d6c29e98ab92bc613921ac32de2436f16a6b533d87ebf82fce3fe0ffc72604a285c8c366708856db5db0e2e629a1cc336dbbe8533c9751572f7e36077586dc28a7ed2cf567cd71ab72855bf0553fd2cd37566e8943303c31286dd59d8b3de35f939f1f9dae383aee3440c7fd6e7f5e7838b65226da1b46677cc4cbfec9560d8564133813b4d9c2bcc3cfa47bad5c132cb413efb1c97227bb404bd8eedc98d1e66d5a696ca9564f94ae308d1df17fd4400c75b58bd498bee637994c0d6ada92594f610abe60dc5edcdae93258b4c8a39ecfd81b375bb3a844011cf967697108929f12f8632dee8ffde7daa60ec6c68ebe40a1f2a16b357bfd5dc0c6aaf67f57c3ad40ac6430be6328d2a58f8fd99865db51868a5463a61321acfa6c254243635bc245ba6bd40c6ee800cc788e402ebce003f0fda87966e60565f31b0590710aa8ce74005903ad7d57443ee8b93d8d28da6bb7af8ebf24c296286728be08df2bc220838d9d40feaa4fa22b0f6950bed6ac27057684e73f2220015acdb3a3d567e70d822f02cc75257dca951e491c082ef4771bd2d044519b84de7bade158c1ee0065098527ed5c8531161c20e5c5c4168fabfde327554d966549b04954a3084d82a40d045a7f674b8acd7c8b596612de3bc5a9dad51e9bc57b9c34018cc8ff708c5e8eb4ebe0b711ea51887fd4a74fbb1dafd412d380d2af172d4daa7d145c02f2bfa80e8aecec5a0aaa5a78a3d0b126ed9c7208d746fe8ad10c72081e23c61b6122bcb22c7b6afa221c8827389c9f76a9195642d552a0dce6d81856dde37ddada2c21ee8304dad4fab0d289a3e6eaaede16bdcc50eaff56a328166cd4b20ac50fad0a504b116b95fbc7d499f6e24fd0862d83b11589391e688f932ac69f65616c74fa7bf71d3e1a7fe0f440e7657018c592e5e56b9a1ddc44fbf09c83cff820c6d1a4113aadb5fd0e0a3a7c03113b9f2566c392d868298dadaeeba9ac13a913aa2ebb8b816f803bdaa611bdb7c4017086490623de75c5deb84f997b44af73a8425efdbd9faed148893b30bfaed8dc2c24903e307e5e187252263a774c7d792618681930bc29d0675d47ba6b9becf8ac1f787533d3139bc291a3f657e37e630a664ea73079b395db65ba3edabce6d754db493de40de023befb3f05ef90b9952215cc01b960b3d29eb4b17e272d94622c1b7c1ec349b870d832bb778d80233eae5c2eb311fd1f4e182948a796366d27e62686275eb3f1349d32f63409dc4a55aba2dbe7ff9511e8212f3508116af54c45755d72a2e55df3337062fbf9e1586028d739934ee90917651073d4a9da00e8d29c7e8122c06f605c257532e884d23cfdbfa8e460e3d702792fd8ae550a6aea554aaf953072c081b04d3573d5619d2be88e087808e0439b33995d6dd2975cce682f5e31de01e13a662704e9220870b6dc813e25661dcae349987e57104d108408d2065b308609c035b11d910f0ea43a8b501c7ccfb34a6f26800e2f4fce065caed010297c5f0579016799bbbb93bc5753b369fe19c4c5020e0083beea96d064a2d1e9dee54a4362f9cbf25bfb3b799764ebc37aa9a026127b728d342b5e414a1c4ade379a68fb9a1f24ab40c5c9fc888908d34843da2eeb56a9cb2d6c967bc0fec4f91ebd4235eedef9478bd604e8d01661973bf5a7b032fde452fcafd0dc074e3f9505f439e86fba8d26d0b96be4d5e87f96cedc343c056c13fa1f29dad4b2c32b336a09ea1ce57af8b2f364e46fcc46da352b8c5da0db01a131866b3ad1a5f18b73fde3a30e2fd03f99e9f1929f7d8549c36f6c7bb7ee48605180fc33340fdc3354c10", 0x1000}, {&(0x7f0000001380)="890e87427f323e6342e278d91dca016459aebd2cb58d30014b0c456404b4579192776198973ef31ae9f0dddcdc91b205df24ca8496a946fe88bf3e19a6c77dd3764344afb0b6800068d1aeb2a9b1f2aaab031865df7e83425b6dd51074dbd4be8a41f78d517a9c15bb06ae20ea14e0ec6ffd953760dac915163c246b75633fddde695bfaabe262badd6bac6b28f7124d4a380776ea96a7714eb92805a85be188865a96bd08cc30f7a536cf2b6f3138800890334cd171683dafc7e96f582cd78c9486247f3fb642070559f03230f2bd24e14aff0d46e6a20b531a44cd800da50d45b749d2b67c3aafa8d2b1eb2d6fcca6330540443c4028b621a03cae62fdbec1413bda34a05ce7031bf8527b5a4d4d0b0886996d9226e1e4b7eddbcce049d31d682d05fa83ce60ef892b94c6f309ee0bcb274e3ec10c0bda9ddfd3fabdfba5586750725ca51db5b4c69ba1957b8376b26cfd28b5b382bec18d883662bb094df506bddd2856c9c12cf75d34a20ba882c7278a24eb8931e06602bc0945e5da6b7003e99951f09ca03f504cdc0608c1b360bee7a54aa318e8ace7fc099bc0cc2e41ea095ec72aa2301dbf0bf0d29fabbc0940ae2dd872ece1d2bb521948d1ffebda72524540a9703af1cd3cfb6eacfa1b8df73038fb48a67252f455eadc075451aa1475c3bc6d9473a4716c8d0428fc11d4ec8be614cfc33cae93a122112fcbf5c84f06724bdafa8d873d1a0d2972a5bd148381ddccd14da81336cf2ef21afc1ba4ba94b6cfbbd922a5515b3f9491ba5783377c456cad30e9bf07406b720123ebec0ec4c5ed58ea04e42e3916c9c2797a89df6c688220d95db278fce7b2715ff8ffc1f43fa8e8f2e501a40562532cbd6ea7a4c4e992b687cb0c393cc13957633a143e8823bb297d4cca56df99e6d698e04b95ce6e2ffb379a28fe8f6682ce869429a3029756002418507d96aeb24cb277da44026f3e45aee48b8a951b65ae7469474b373c7f530e019cd96973045cb1ec5ad7088aa61b7286502ef2a870d1ecd8faf6532be3ddab614fbea0c013d419a19be31becae531405c25d9a7136600985972e8248eee100bbe2e563cd9243674cfe58835344bd43383c4e278965554932529aa8011c831455ad6d27025fe5d820fcefb9a1fcb65de475bf9629c0a236c89d3a814efce8e8e09192b92c98e1cdca1ff14f09022d80a125846be878c6803abbc5b9a008de08dd79abca7742ffbe6b00865a61d2cecad79cef80d2429dffdad6d4aabe6c6116765538cd03b442456e053b8cc7e4c83557eaa929da56e17cf0479b082a144db0ec61c3a024e20644390126cbb84bd8bfe6a5d9b4f86abc9aa87e97222bc60806dadbe8bf37260e303b91d16f22c5b133750358e3af59dfc822ef44705a7b43bbb2d69d0af8b032854c96e19c9dcffcc657494bc73c80df035a8ca542e216518432c5ce4e6d11e11d13c5455c5bbbdbc2d37635ffab9e912e42bf509dc4fcb4f83405794a95366070d62982d3a34ac3f5674903580309b336833472b2760f902a0256e24d9a51bcb30bb52821951ebf24977433b5ca5c64d7951a26649be3fdba07df4091945a1e8495bd3da2867256871c1348dabd923f1b6325943c2a1cabf06f28f82f1464fdf483115319166c9d4bd57d96a34004d82e317dca017a1fcfcc198623bff39dcf5b05d0b4038a4bedaa63645eab529642fe43faf66674a13dbdc08aab3b0725272a414c4281b5e14dd3121318aaf88e8948457a1af52b4c42fefdcbe3f1c986f2bf13b7beb2a055b2dee3b066038dc637c7aef09978f29ef41517d5dffa7a883357dd9f8e148027c5350fbc5ae9b31b864b645efd82dbaecadc5eade0a80408507e8819c7db44df6f3b4863f821bb6723396bcd7daeb781f5244525eac36bd82354d166505e61ca2496ec60f05384fb5b424a3a37700f761f7b067cd700480dc4b1d5ee9d79a8592735f75506caf7eaa451d62f653ebe0986ac35893a4b39a26a601852df3638e17a90662fbf21efb69bc692bd92a115fe547edc6837c33c21d2a24e22cdd303a7a070f19df10c38ba1d0a17ca89550c6953ca240e2fd5ee5254adffc9555739426b145aaf0a7e7ea525010115f601ee17f8c3294ae11b5f3bd4f84e8007e1d9f3819ae8a6f5be48aa02e207afbfe8c6ed059f3fa6518ae6930a70c8d5bc51c3cb5edabaf089d7643622dbd575c1b9da892e9f11f87b9110c14cc2dc36ce20478ce13fe0b7908f02e3d1736ecc8a2156879b2112e66ef0d2edec70cf4c6a1b7db3484c6d91ec27444bdb7de176a93375b24e565bbaae5d6565186e079096932cea39f2f23b7c839fda3b0670258c61755d515c3b70a09c00585b7b7a5903098881ffedf638e13e55ecd8ed958a055646c90b7de6487d5a72ac6aa67bbadf28c0d522ebf2101d011fa0f867bc748669b70162a74f312f8667573eb2c7546c0fc763f06fde6de8ed682d6eb8d394058074e533db3d53df1ee27c9aa813542e0d6d8c62cd41bfed2120386a057618818201a9c09b200c66e85b180607b3bcb34a34b39869049d52a32028924e6bbe3c30f201891e64662c91fd8c61632717f7779b285d40b32aa374209a0a913cf62bf96d8a8adf0bc4a95915f4a3e52a2c7f2a7709657ed278e9fbb709b49a6068c55db971c85f224c8c67af77a2b91c6f8b2a5b3ae85e13b6a46279ebb07ccc05127242f6c7979fd2e4818cf058c41f3700d041e4989abf33915b032491c649f807ba8b7da64513e1fc4d167841aa54e5e966206b5ff7ddd79c0155ceeeb4e0b32bee9fdf502968ca11660fe351cd565aed2fc2df3659fd56fb27700ba815e22d922a194e1025f918b82290d28d860ab2cb3e61ef75990afc74ced57d422c66a6f6430bc20a3f3678822943f2dab82844ec8529a119b13812189ea279221dd13c11c0b3877ebc77347340f675d69118c11675735d16e4ce6ee4aa36228d62791e18e58e93eb868b954603aff493581244d804edef2573860083f10417d7ab94ea1445187da8a5252303d08fc17a7d701cba8928174b8350ab24f19dd252772fde2965b389d9f9578e48b423c6ad8db39a265aff2435a74e3062e7645d63c691aa595758dc06aa802d236449f0946112b313856dd3ca13d700084098f2f52220fd195e186ec1bbb28c3401676d3cf645774657d9d8d24265e54db0404be9c1f3e2bc638c143b72c99df2fc80cb86236fe6361bac183c065dda570d0e69c02211100811076c6c5ce28856e77b3f23bde645cfb6192eaefd50547aa2ca3c5a972caeada4878c4969e368997ff6e12ce9723e4cd923a3f75d2a6021dc6d642ea9261d428b5ba6395337ad8dc626d0cba1b7a72c8671f1612d4579b7663b19fa097193c6daaead8a467fece8de090b1f8a67473449f9b0e6ac4378c724f92210e63cac4dac8bb136b0ea7c3d217dff367a8f2656c58d10ca8d23fa02684e2e57ea84de9493e58a03406cf78a77db08428ef211d5d160bd5bd8236a29db6efe8bf4c9d810ccf73633ed606367b7b83aac1292ab28749800ccd57156eeaeec18ea08fc58ea884da17071154966daa1981009f9f4b2fd4824affba55bf9f6201192d01b76a0c299525d50e759286e864f131508fa76297d67644a337e8aacb56af4047112346e96695717c861ba8a851c0ab0f219de7083bde546bfde90098b9ef70f170469662833c9f076e283b2aefbeb385cf15ca37ad13f4350ab7c634469fd3247aeeb37497c3097a6c8a2fa5916d1224d5e19f07bc75fc358978b8b582b28f0c77907e7d0786d5ee0b7b8bd9acfb328a85322c00aa195051ece2773440b62af99a70ce4587996552269feb25de286692e5de381830afd8941efe98e8fb3b3d6780756ee4e086381fc263bb99ce97bfb11836139e443ba83988554058a0bb2dcf1bb11dbfe72fa2464b90b12749aa59da322b2e9ac8348bfa27730cb37045ea2b4534b0bda4ecf2f29c9c042e6b572a4832efc0e9564663550ef9ac0617c72341322598f973e2216d7687ff119f260397bb7690e4768acbdfc1612fad66fdefe93ae7d6a84bf30afe4b1db10d512c266f54e20157e653926cbcdf0911c6f1efc4965036410e62d22cca793f7a26727e37717650566f77980ec216a6d37b4adfed1fa02a07cc530422bf117816d84159b2f14532b8bc8d597bf02932622c879da46eade7e6643f5ccb2ac954e4410ac1957c52e7dd5baa7dcced9d039cb57ebf7fdf537912e0d507d762acdf39aae3e1b1ead50509f35b5a7f9c44a34dbaccfb8a85e30eceb1af3a400d5a7d204c186410347809fecc8ff1d1f66225a40cc84297c37b69774b0c3b4b72cef0cd37a9251b38924abc83527f29a52a42e4072a93c7d94fbf345c951c698b8a752fb0d8e04e03b97f1906414946dc6166c0904fa5d916540b6afb8dac10663f0b392e678d7f346acc58f33bbd50bdda8fc2168e2dddd9510b968dcb52180f33b76e1308426f7bf8e80cb753160a056534861976c98f5ac85fb6ebe0f41e1a6abf08941659f17af6a865e620bf021bcfba22064932ca0987a7c5e54b84b7a42b542210d01d6cba28d584fa68745782e0fd9b74142f4c843fd77fa06524ea571d4294f9d79395617e5b3598dd0a81501b5251ec39f0594269521c80c93965eb181e4048fd5770bcb1e3b8e811f12732849ebdd667120e90f2cd919831e22871d19803cc735b3875fb939a1713905a3a1bb7ebf87510b580a7872b42cb72419d50c4117bc6dbbbfdfcddf37ff4dea4bedbd325eadea80bff21695648a89784e78d98b06afa29e7f444fed39f8777d39372e28b7f1892d2a3e5186145f63e49fcb208fb1940c650cd9a3a61ece1106111ab49cf253649749504f26bfee8c08c91f486d3ac2d0e8505fbacd641b7b0c57f4a0825f683ff84e951aef468e11efa2fcccd1b4e2cb897ac0aef8e1987b84196bd4d1b13f0a4a3bce069e3f7cc853ed0b26b241de25ba0b2d48636f74863e6f0fdf0bddfc9b4a3458b7627889d0fc9a2c8323aa345ece19e75120e99ea45399f2d7a4ad7d691b62e949857f834ed2be08768dfb8980c8e5178d0294c15fecfc5756e5d727bf33a8bef0e747f1efaf2f7194552dfda26fb8a95a17a769d3b0e86409e7eee774161af0cbb9fa2aa44dc0f2bfc2f3e4efedc84092035e63a8a8df70d21a578ad91ed536dbc39dfdac2fa9284402a24a423cb74fea1abc3b52fe3743fa60015bd08afa07cde96f6f94aabeb86dafaa815745d3e042df8bd382f9cee08b52713520624e90166a853fdc826f48a73368d83f333efa5aa92301641dcd4af8ee3996c0a81e8a7a16d597bafb7755e1b50136660109c94ed11371dd68aa40548849ad761b669128b7227eb568e51b00684d439cb3fa9fdf16c4847af1b996cfa3883d60fe679463b075a1ea1f964e34f9b1ae5434bdef42982b06c9c601cee12ecf3e7e480ce38f8708e60f055ed081a5825161154a8e724a75189a04b1e597b218cd0336964eca23233bff32626a490e76c35e80e1392b593a1a3d177609de9c296404d8fcf41aac867c8630c5f8f00fe18c3d607d8f707d35d70350d064a70489f3559a462fc19f4673606bd34384111d6e169069c8e704e8bc5ae0977ceacb5d95021738e976a769144bd072a86b910114d49fa69d7d5062fdbc16b99e705f24f2056a718f806e0887e503e8edd9a98246fccc82c23198e4e79dcb152cf2d40866ceaf5258f00dbf9f79a688f2ae8f4b1a96c77a215e8dd29d8a0d5d859d5fd18d3bea4814", 0x1000}, {&(0x7f0000002380)="d6741cee8568848553c6dbbe158d4549f026048a6a1fe638bbf88f03c48e8115f45ab6d22880230df4f88a765546fefb8f257e153ddc5fa21e9c956e01f0ead345153531340841e7779b1d1ee86fb3c2c88f9824390ef68ce0dec0692abeaadd88edfc1fed97da26aa2deaf089f7ae6de66982871bddc837a0c0e61e6e76b76f248632c264bad5012c630e43a14669081a2348cfdd2b73f8918531803581e22f8c0a1ad2", 0xa4}], 0x7, &(0x7f00000024c0)=[{0x40, 0x110, 0xb72, "4145c2c21cda32aad682611b4e0f2d653efea012a9662ebcb95ca93caa5b851c46e24eda0452d1f7d44f"}, {0x1010, 0x0, 0x7, "9c5660aca18f95387be14299488713441fc56b7ce457908be4ccaf1ffa5604b9063710c079e4a3bdb22608f34166e673a11b46fbe566392b62dd03eb9d596c1f211d9fbd02595196a1f2f25c04f627b0cad1840f5e1b9f0d687db1f80a9915a62aa23fd196344d18b56f4e37cecc00d8907f477502b18298e455ace825e75933c0a4e0149cb0abc3eab1a64feeca011b6618a5f239cd7f1100957debc75309c1601998b60a7491b8eccf0a2938175a17d3a20562f95c0ec46aa5084c86b218eba1365711666aab8ebbfc6ca48024b1f36742b5257fbf73777351914281233254a34f593bb03946ff97f2515ffecae6022a05ff0175eb7bfbf0b00ac65960cbf46b491be23abfbb54945c625929d86e4e39325878e48b063ca18f2c130bf0f2a54634990b2382d5e0ede289c5d998c664ddf83d7b32096511c6390c0bdc2f4090f5e818127da897d20f497bce01c94b412887eb4e0f5b495f56416c99e5f7a4b7fce4674b897f7a2cdf0607bf5590367477b7de291aaac373bc8be36a255334845ee4462334173ec8e1d57bb1728f063f6b7b9d6f17603f2dd8df0b5c21164b25295b102f698f147d0c8fbafc00052f69637fb52e240c657c8c32e53f5a6d209bff4a3e2281e1ccc1863335a171bfc10f778114187b9129566c44e968c46dbc8b1a116f9f1508b722e459bb13ca9c00fa8b440f40591eb0fe6fbc7983226385bb0456690e441632e5040ad45396378b3eedfdcf4c636f419d8421677d2b80164cff86b423d1af78da47b34b575451b2b4c2216644e1a5e3f02efc0fef04d738d90e4427f9358eb3a2bc22be2952bf7d1b9548b90fe6cd5337da88dbd75184a5e89789338ddea593c54198dbb520f93cc47c67604ba21a0b5ff98f2602155a493dac8878580ebd68759ac57e24d10cc7d6a0a4df2c896d43a1a5e5c0190adfaf285c0a39a0c969f6e120cb3b105349c715f6ad6a6f4a089c7dfabe88c49515ab5a0ca2514c6372241bebda69b30b5b45b11b46c040d4047ab017331b5a88caf281b35896b0c9275414081293d833c58923a4bf04a96d951ab7b762448367d35d611424fa19b4ebd79ccd79e5b19b7c7a585e09b9626a52db9c8a0c575a05af232d74440f35b70ffefd9af0c5e7a2dd747e8fb4ac33e34426eb2cd8f6cd7a86a656041c5c167d28a57be27f5c0dbaebd963df0d459ce5b08aa352c6e818891eb3e965b12af3cfa222e8943de104b0c0d2df1af0021818e4e135546dabe7a6139f82f9167283cd78fbf8418255ff9adcbe2635e903aa6174cf2fafa6d15b54119dbcbeb8b65dd4203f52eb20b3c1e35520d8af485949fb12c94c228d652108f800c3f95df8f4eec5347c84027edd54cc892211eacc6bf726e5e0a6ce458f0740dfa3956269f45812cc5c8592e48eea8f095efd51c7ae1008552cf3146eb5ef7eebb37eb4ee6d3982132746725e4488963dc1e0ca521f261a6764cfb3b9401ebb1879a39c2c3a44371462cfbfadc81ac7be9baf895d8bc6e0656a41845989555e698f8fff54c23c9a660b44e7ecc06a7b81319b135cb6352d2614385b037e703fa6ddb9481b8ab317958eae27197f4f155ca0e734fe8e63113fa609fbbb0d84c60dd165ce14d3c791bf29e9a0c4003859c861a35f5a5429b16829f551725ad7d3b5cc6b5ce3383914168b516ed0231ad12d330578c79d2b28581adbc6f80545893eb861e3d537ee8fd80ae4fe42861a44bd7d2a5aa99b0ef9242e0caa0493379e0936aa8942db295f9c80a625f3169cce167f47758ef3629bb4714146acef6d9ab7666936f1901707e976f72f24c2feb693e160e8233975d5000ee5ce37f35933f149643116b5914a36523e3966c59b646c34c063dc003fbfe72b95ea1a36930d4872f3453a26b21af46d7cd55d8c4fdf820d4e94a9c25756511e6d896b5393c7dc9656962d11a10dcaf48e1e0d9efbeb9704e772ab86dd8eb4209b05811f2f7242d1e5f66ab59d610eda97cee35deaf9459c861202f718ed7ceb01df6d3f87deafcc7d0076d87cce2d4aa9515f2c45b03694dab0f9c9e8c3b769523a865a41cdbb93e4306c973f4d10ed57bccaa8c5186858a864fbee1cd0c52c7790e5e899b9c7b6949dde761309f266b161a99f70f6c53f1fae34a34ff88f4b2777804728398bd538fed36313a1ee9f92f40890448d7267afc27feda3e0530c035c502dbaff7a8d3f59dd12ffaa51841063ac8cc0e3560233309d0edc772bdc2084c86d067b0702972a5735130b1b6dbe7a7805c59d6b46c3baf34a2f0847e782eb8a4c0b3a9300c13d01e2446a7d9890cbcdf3ead089bd60a8b5532b087199a7485e2b5914653ba113adefbdf1f083e049ce9ce6ed0df15a4281319502cb505ff05739bc5388d59bdbd43e927ef8c1d3ee9fd7ba08104be0d9b6ac05a2e365a6add0d06bec8eefdcf63aace17e5265906cbad56f9e6ea2c7e2becfa87ff419e913c94f6fd2eace27bc37c27fdbf9afcd3c901d41611a6b16eff207287c33e7b723bc807225c3309b03e66db86684e1b9f79b9a18566c904d009bfe8b6cbcc9658bf94e198246d44a84fa6e7c7beb380a46e26a71777ca5e7e8f5ec0c24d85d2e15f7e42aca1a008c750cc66d78f7d102139a643b1cfb4e77251eb9d1c77d5cb46b69e59f7c03d57db54b0b52197e3e16a7ad89039e1bf3e9e57777b745786366c7bf2726db19edef775d479e615bafd20d0ef98fc648269e7d14ecafa51d866dfa7f61a92f6000379469344c8a704826bc7ca6193e61d769459d2b95e39d654b3e41339f979e66e10eea57b9cf977283b34bccbb03f17662877c183b959eed6b128be948b16f539832975b31b7598be7cc70b449b46f70e129b44fb0fcc7fb8e3b7c17fcf12e976b8cc76ed555c7dd38164f0131a8b99de195cccf316fd0d71c4051dd68d4e950c0ba97da4c9c5914853033bf6682dbee384672163e42a863c8ef2f7c23392e1042c55f09f6fe8a89bfd8b467daef093aaec0195cbffdc41e49835ac39ec6f1334c4a89315bbf671051bcfbae7312e3b297fda2efeca526819b66d468887d2c5a4dc6f7762109c989c713537f0b7cde4d1e8c8539bec93e7b349b7b147597c8df51f6b327f8ca13dc00e6ff44fe157624bb2adf983c9372f233b00887e0ac3f23146b27e296137b2e3019322c042955ff0e976216602a683ebae1dfa5e0213e928910773a0a2c187e3639ae72d756a2ca951a632d5efd08b87b3f062d08d1890b4bb56846cea8be9be92e1236200c3c0e702138cc11b9bb6d8a09e6baedc09896931c42ad4e83d56143d615c07bd676b0337e8a405940b642274f80a391515102ab7009f2f137f175a0590d70dd3ea4440034cd878529e641ac7b58278d9d20a53d952ed1c344de7e15e41d73190a573f33e849159e1888cd9b4b0a1531bae62e37916b1f6ad7dd30c77ed146e00422144342b2049afa67f79fbef77e4a267d6ac32a53f3b2b69a418fceffb63070e640056fb084ef7627c7476acc9fc002eaf3d9073631b2bad2889ae13a0b26fca029088ce2df270e77e2f6ef4158071e1644776cde0078bbda3b4bc8db6f6c2947dc109efd26e027b38679b59a58a23857d95fff4eafb8cf452e75f8e51f6c69a8f350e9e1fe2a6c0e09da2b62b2cebe731d1d5b79f19ca82b3e21d6d5a2bedf36fa1e10347d43ec714073cec05e71eb290fe3cbdabbf8b3cc9e0f9804c95800c1322c60bfb9eeb9327fb01c7009620bd50fd0c7a3a2dd4c071f58fb7d8acf463a013a0a655f41931bfabe67c28548025b17facbc296b2f72c0efecf0a71970ca91f75aaa7aa61133ba620f6faf57f0e1565daa24ca902258327d05426d16e54602c2bdc8713f076d4e4c4ea929e7d22a3338a8fa00c4456867884421840b1a4b582f17cf623d7d83c6def6e49c2895357edf0000304e9f0983ef64a6f4cd5e56b34d1fca69dc9b6370ed6c6dd5006340998d3c3c6f5f1f304b46c79fa996d185c13043e988a432ac279df7d80c6cbac8cbd5e77cb7711a59a3e220c5766db23be81b57f71d91b04e6e620007bb6c3fc71c00a954b3eaa5b6ba87a224197b414b6bf2946f938b8016c48dd15c50c9be10b0de794a68e62ac551caec35390169f1a46310993b45c98b992283fb66a4a68ddce1d7cb8b3e316f55ed1d4283e5cbeb38f96840c1cd7683a535d7f729cc2e80f548f7e9c99e15289dbff2e67d73323521599a72ad1d2e86730a2297bb36e8ef99dc259ae4a57cff5eac9e15eaba8d462d71bd4a43f24cc2422c38e5749fa98d3ec135d9b61fab40903ecc1b429c7ab679a30a3049dfe50e837fdedc8ba7353502f5f25f0585364f8c7dcd67d0dc0ed750f078348b56c18bb4b1e3918ba9b570c361a3b704a4415b35c5a1a89a7c26cd595494156f2868988902e63655f85f26835ee9380e995f54032aefb70e8df0bd9825e07bc2b665de1e45e157ae3cf0cee15be77f6b107fe30e140c335327643d55bf6c992d0fa70b52f471176214f89bd38a2aafa305d87d7da68fee2744a8162fbde51fafb9f5457682d9132992986ce965a704004cfa30649eb6248ca9c841b3bb54f388b5314d239f76f38cae3093323dd3d4a081dda07bf2b1fb34bfaa99034a827b8efde73cab3518b67a6ad04ec5ca3dd6a563650db22f1ce00ef56a3b74897bb07fc74365a29fae6b63438dd11413d7c4c07c38278b88b23be360ed3807b0be738e1cf2849bcb16e74fb306420009ea88f8c0cf2913f8e3779ca5f50d9fdb2105e47228183a3caa3dc13fa1959c5954c4640e31fc77fda9eb03b45f1273932943049a0cc0316f98c4c771de8a4ac4524fdad1f6a124e5d58aee8fc2c1ff354560239dcc977105fc18901df020133d3c241a47695aed73b9f7851440e0b72b713841634446df7dbe4b4a671bb416d912a90a5560bfdd18b6f28e7aedf45f7dd54a8f8063cebe45eb16ee4aca89103cf5bde9a38a83080fd4a004e69fe50642d71f2a6a1d76c30ffe28afeb3d778adb060da9c06d3d29b8779c9c465619382e1affa41bf70a439a1646ac2d865f847c73455e94efd11595862bee9578af3aae8674e1ef02ab21be106d72dc5077142d5ba3190b0c412129e101a1dcf923c3bd442e7b359311555cde5807462323ded5a4d7259fc2b846f647fcda3bf62b48a689aea4591cc56c56ca258238f9520875f22ed84ae9893e0ed76990d6492f7ac308eda69c6dab5308876134a3f0862392ec4a1474f8f25d12ae8694c6db4984a752ab5c82eff25dd3ba1fefd44ad43f90538fd190c75761cf34bcc94b14a3da0754e55f70338f05be60652f8f39df5046fd305b0f7361d2ca794e4e428820488cc622cd80aeed77891736c4fd82637f20f27a14f2d78b2d52ee156d57f16d356ffab5c7af15d3cff2db913f34a33f7eef321b4cae4c5b9909bea2f0747f3a0ad97ffbfa9fd203708c9902ca2f38baed0e833706cf9f8eade3b9552d1d7553c19698da910047b78649d06b7c822bbefdf193f991e0434530723ced5d7181a7bd4a96149e68f57557f561ab30581d0a4f107b4a2adc70984e2e82bd966f60f112c6e9703bdacf755454f6271ca7284929655bf1ae75c581944670240729b1905154a8d0cc3c8d333ef7406fc6465c67a2e96bb6a98e7f57eff7bebdc43ef6be6768e36829de6108c70a83fc2e97d56f783c573fc746115874eb395ee4e241290495b720de2796e467cee3195c3e729b5d84b0d07a26eb9c613170ac5b15ee398ef06933ed6949b708ebae388c791c18465"}, {0x1010, 0x107, 0x6, "55a1c2d38f2bd5429c1aba06d0aa184109cedcafd9f670097599f7512ea13553c9df95a143f0db41dad911436628e9c0c69305a94f02ed7a432aafe3d616ffde67ca1c29b53ed08f1380588fa86df56b8d91ad3c10624208fe4a98e4a0b1ade114040a90747b8d5955d392d7792466e9c0599f6e6851e6e6a028b482be0af355697f415daebf66d93d73741871ade72ae876a2a5d8076062bce709ef4d42976f42aabbc61a51e2c88000fb653ebaeaa2d30e6bd90ff245987cba30367af079e7424c267c750227129fdcc24f17450fc4c6df2e57874cbf0efcb95d729f3f7065577d027880732b0200d535a2939601b41607095ea1dd9d2703ad4a4b0bb764d987773a12ce61f9b3d68753eb764916cec14e955fc8949ba9484c11f123fd51ad26eef65eb462c3d3354ea4e529a733a8c019b7bbd835ff03e22a068af63b57cb179b131b7ca60298d6bd1b0d1fd643b9f25a145021a431f243dd651e493808df9b95d8a1ddbef942c8a748b81ca97a3e0eb6f7963e4463c0cac1cc8bc1575ffb3b9130f4aa81ba7490b02d2ffa23a7f90c31a1fd4c8ed9a5725b78a86c78d1b5ffbf8fbd20acb0c2aca3766044cc98b222472b8b6b0b58976a2ec804e920a3167c39057aea3c60dd9b3a66288bbf40db590cbeab0e0b57e72d87381a685bad1204387a485d9c964d1bc08230a58fb47761bce3c9f2ae0ae66d99bd2b219311ec9159f67445176cd4a9a1945bd77b5fa39c71f4900952276caf4be86873c4fcabbc1072a7f012ef0db72ac67f37a0eb8242ead61f148dadd0dbd8bc5dab3dbe3d6e71779b54c73b9341b8bea1fb84f53a54de2cd59fe12792e98943093ce744995ab52ea47bf6e6cd0cfee336c8627a12ae7745b1974ec76fdbc0f9775951fd441da3573a861a863d99db0532b4ab18258f413b80f797fcfe9e40940345fa010fc4295b573b1d1dec26cbea201561e45f46adfc9f1f63b5af0d44871711f2aeadb62dd79f06f865ae6afd054129500a636f1ba76dccd123010650bc25327f15aa5b9a696d6b75e4945aa1a0aac84f859588a7de534fbdff533424afcf723dfef6211c83fd1ad4778be769fefbe60c36e5fbfd3306678bb0e88edad70e4b5062a2f0c3ed69933164c649729a00ae8388c28bea67faf4b020ecc6149c65bfa8054300446256933f90ada6117a50f3adf2d44477d01978f2ee3f408c04c9595f5d7cb18ef0fb379995fe1a3c75b95252b506e7ef14f63816a02f1a1def07331a0fa100a5d6f9135a21fdbd7fa6221e8dfabe5ed55f3070851d6867a066fb6e0b772fc0a35db727f92fd2bcb94db4d989b3f469d9797cfb6d0f61ca8cea33591e407ff41f4eda5e19a57d5655fda3c18c31bc64aec315e469b82f6f3788c799884c45f5a01051ef8645b3b1337fb748da7922dcfd98b6fb441b57f0d3490c239a0585551765fe00007fabf6aa84f49c0bef203e4da8ee09736ce1b9af6ee81c8a22b31e01781d42c8684c22f50263ce8c2cbbaeaf6efb74eb18924e828d035c5b958dfb0632c4968bfd3bac484442f4741f67ffe30e54049d26fd46633c9be3059a832e3bec1531e4c697e0d4e7db44b802faeda61ffa4e5e06444a02a5e87e4ffe72165a97050828235759e09c27a71e9d518bd7c4ea87c12bfdd57add525fddca682fd670b4f7ac185f212541617f6446cb0eed78fd994e8c185c00c38a9b1e230ea9977df573e23b1b5faec2b296d430eff739d1e5282688813d4fcd57f5bed14f60bbe849306aa7510b756a3c72b2aedb86302007e9eb85e4f34537c4b24ae93d4c3754d4d418314123dbf45f6d07f94c3252b78462b5af8df07dc296e64ab9a64d15edaee66e21d6dfbef1973826ee91cec66f44ee65c96f9cdf1a35e2e4368756181dd97159807333ee2d5552e1f11e35d95a828295de315f5b18b77ff36b418482e028297b280e66455f23a71aea9581614253a0e1cd5472b7e2332ca75af3bddb0fb22bb22550b6e403546c06118a5c7e548cb52914ea6bf6455cd0ad619d96ed2d582a176ed10e50cad0ff52b20fe000f0e9a6e6eb59ec26ef9ac0dde0f859fee8af962f4da655d1b915dd51250afebe8eb60b131155394fb6f5cca5753094cd33e5404a234600e472ebe4ef7c3024c0ec59cf4dd30ef17170d848e9e16f7ee3e8470118be419e41f9104e653e5316c5b45041e37afbce0d0f4d7dae86ee6b802c169d073305e2ed21832318071d54112bd2179e9e910e68858b20846be331df185ecb34197aa31b9763105c061284efce181d8cb071467cfa50ef576646369ad85a820141d4dce44fb4c36f13a98f2c70ea9c955de1bed42d7badcacd0997f97f841b092ef04a751bb1c0596309a22cd6849e444573d243e75fb001940d918f43eb17b264c133b0393ad0ef156080a44132f55014b5354aecaed699d5e04bcc1622ce6c7dcb2dd4023353c2d7ce9e78f9360e9d7397a9fbba3764dcc33c6596c397df2f6b6b35d6775e1469f7000859b7baa66b48f8c0dd36d2c8af57ac069575e305e7adf53433d2f03c8eb4ef5df7e082968e311a4161cb952f7174e8eb94bb28327dffd9aa90c0a522ad9d7d273c65553c26887155af441642f46768d93d5a5b3cbff0a90678a5f83dcf60f21352e6014950180cc0dae049adfa9a534ad9c3a2314fced34c3adc6857e9a49998ed1f3a0f318e31529e7a36ff7c1561be7cda5659bd6c3da0af6c66a19b5b9cd0063d6eeae479cacf64abfe95f6e1b921bf0548dd1eb77861ff993a41a120cae7eb12c580f6e4c41c4c68b92d3b3199e261cd6bae1e5e7bfb946e94c8c12f57428d20b6049bc1f08310072edaaeb695a9ae2b25e933ed297bad50273e766620bab92279c0f41ad6627a32470b75078dee36b1e1d1153d56498bae35247abe37adf77f1bc9f1419a1b23ce92cd1d860eee45a777b1e33587ecfb77a9e7547c72a67a4ac73b44d2392960868d4a97de324a5b22a6a05f6c8955c89b2905bf248c29c5962aa910cee21b7751ede11f3edfd6fc9ae71a0892b64ebaeb2eafec4eb118fe290586ab4b9ce15b885917ded70f19c504bd424337711f73219d4e07996972e94ef2f5f74e7aa5263b8cea0c7e8d7be96409a3035f1ce667c7bb5a9c0966a8f0d823d48e8ffdf55c4f8992a7e85665bf4594c7c1cac0a96c002b2840e4c0c5534b69000c001d4f280f1b5e96cbc650c2123bc0328c0b659fc1c7883eb859c18032c9692ea6c06d630c0028d384f7b0fda53a2c25b54e879bb4033720d687322f69a732e6ca72a1353a85cefa5b0a04c3194e8847bd6e6e1d572255a5ec2586e87cb514247adf83a733db85ab91e1086a112af6a6af080fa0be9af74198e78b0215c811e8582d678b9a64d85d6c2b229ea89c1156050215ee678e7c960f9bd6b77e30764b22d4171a501ba023d53945d4275c828685f52da100aa07b55cff4c7f1a40e4cbb48c2164896392b67072a7cc448bb1e6a155f34a1e795c4bff92e061eaae59bb1020f6c6b075b6f4ef543f6c930a72a362db38d1c4a7723640804484fa55c656f31d5e23a200a83da1a33da0a9a4276c4aa1ccbc8eb0b7ba329bcc8e31fc203afd5b70109d57be69f8da19c7c90fe720a608bf069e4da2489d6be3c2c2253010ead29aef54e23f68bab9e9009a18c69161c5070fc90246fe519e97247a1dea4a37417f764c32d10c3b96d3b20d65e8024ef68cd3ce7252ebcc4b9b2be3d21e117d118342e8ca10fecf861d3ce3e7dd4f3fa2b916c0bfde97951923a1ba728d53f02026e48135ac03a4fde17e2e3014abd30fcf8ec3386f1c967bb4909b62a055bfaf56b32e4b42e6e7a75a6e25bba050540a55bd8d8f23b7429a383df7ed9b7fc8bdcc443800989a2ad58f7a4904b6ec725edbe2f55f6104a5085369711ab5bd3f4337c02bdc854a465a4648423d98fdc7129080c1f10841a7148c8b929f9c76e7efc7084979bd3647ae843197d4ff8056e3c337cbf8f3c8cfa1caf1ea9d9d771e9c640f8f30f58a9e022b285789e7fbd0933e9b1a7c2223297f0c35699b24c6aeb1ee172b279912c4a261a9603b5076569ce0413ed4708965fc17057b76948fc2bc5a98d4f645d6e37d4940650ff8d35f04ac38451febe68601b686e316cda8c2e0d7f39c8fb93aa199dc3cf043b94ac15f3e7e06d6db98282be55d3343558e8a56b6036a48e301fe9fe6c5ba92094f5dcf4f154e258cdacd72a9703737a4f87ebc95ef2166ec8fe36439e0da0844a082deab34d3b496a836018c0eabc050d8c08a782cfd9583363eebdc7ac5f4a13bb36de4386a3291e14a92d9618826084d8ae9761ae454a779b44fe1d11744853ecbda3ae681a5c4bdc828106fdff1900fa14da973ac82ece21c0e0d5efc5d400053566d29b60267360be387267e1ddfda182fb7e19cc3bac4c76620b6d991076f677b6d7dc7e2e1ccad903092a581754dd2c6ac7e98fc3d69637ec3e01563963b9782c2f8e6763fe342c63f0c669620e2a5f9f4011a8488a5a06f01519ea9a72e6ec9f0a1f6e38e0bd939bd565ada8df18c41d58ab1d7e3162ffbddf2c31c46a485162a8475bd34b04c9acaca97d9a38760e01138df5e235b61eaae8d571486e39a37d256ae00fe81a80606f353675c35c1a9c22c697fb73aa6187fbb3ebf6b24e790193b646db219b2f27c77dc654960ea09201383ad197988a401fe1c28775d57dfa604aa070bea13ed8cd8bfb2c44efb981f73e61a40ef9258a2597495dd026e7d2f9fd30e8792ea6f777e78b11b80438a1799053c4dad90512bc963171aa7eda8af79d2a40462d853f2b3567607ef5f2f83b6f68518297a32c2c866a501cb3095fe78768bc40d0a2e70ae7eb3dbb5d7fb915229db01dee56def97964d91f076e4950f7e3ca8b125aca46bedc37055df5ce01bc98ff552ad3ae21e91aa50e48e6c83135f216148134701586958ab0860dfaffe7bbb94182d96db30da8fac038c0d185658cb45a95d187192a324bd48c3722a6ee6683a9f1b8443f6370db21e94ff27c9034518e0658b76b2ff934ef57a9e948484486eb1b999b8360ae6b4a62f3a1e6f381087e6eb32153835c021f519edcec76b9796ee4f4cce67e10353462ca7ccf3277cc277f01f664d19c46e9e8ce6a92d355645c67ec6e93d7319edceee28c382cb971e974069b2b3f06b64a49164c394cd7a1db9b1b92509f7dbb5d2c99915055bbb42e1528aa1a1b9f6b5a319d908abfb636ee11c178c6c0bbfb32e0c4524485591110cc16d936db47628a9202dc631d238016f1846637efcf532d8d04cdaa8fdab5ba3e3decd889f06f722ab3aea1b109d8ac4c7d72716bc0094428a23d89574bb9ed6df6da241c6fa7252fd800f32dae071e5195f6a0f3c4a522b12b3132051747314d9d9db9ed1c5fe3e5f6a8ad8a1e65b48dc437e3acf4537d30ca4220941b8f8bb4b8463500fad6d15874172fecd5c6ce9d09abf6c4dbca4bc2cec437dc869193ef5554021ce3d3915f0efd33672dfb7688f6fdba40d85e9562fa6210d9ae870f7b9fa3ec6a2bc7ad8d80e3b462fe410a73c4168cfdc67c8bc8438686d9bd86430a63e91e4bcbb2ab16ae90dfc1f9baad539f4e4163697f923204879dcba82f558509496041e2640f6b923de2a84a33fa25eec37f784cf1e1652d0a699d5d79bdac30bf9b9f503e492075403d02e16d4d5d5a5a6342ea1d228b8aab361a7d5aa95f33885a6ca97b56b3d1b76027076998444ce04388f58ebe837928f8d6f83929792bdca57d3aca03288f3cfddaf46c7214fbc"}, {0xb0, 0x11f, 0x1, "e8927a4e97b3bba29ec4d5d0265126b43de0bcb1f9239f97cbca1306c901412d63900a05682f575a29e5030934c3384c772e815bcd1517b8d77b8bbf1df40522db385b7b63f4c32aa65608992990713048ac5663aa12f77e7456b7cbfbd9517a9e90fe5ce2a95300d40532c7b37d74a572e81002575837dc3479e2139af59f42fedba536860ac976ae33ff48731f39d1091e0cf52e1f7ca5aac1a33b"}, {0x60, 0x1ff, 0x2, "93e815f095aad6ae2b1d595e8b71f7265f77465f2be445eb02c155aec415b6c6ac7fa490657dc6c1b16264cb9382825bf1d83cb8aeb8010b15fdc361c571f2abddf53cc74c0685717e629ccd"}], 0x2170}, 0x0)

[  445.768765][T20309] binder_alloc: binder_alloc_mmap_handler: 20306 20001000-20004000 already mapped failed -16
[  445.793580][T20307] binder: BINDER_SET_CONTEXT_MGR already set
[  445.822982][T20307] binder: 20306:20307 ioctl 40046207 0 returned -16
[  445.843798][   T12] binder: release 20306:20307 transaction 1136 out, still active
[  445.853494][T20309] binder_alloc: 20306: binder_alloc_buf, no vma
[  445.863256][   T12] binder: unexpected work type, 4, not freed
17:34:13 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7f59ef520000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:13 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  445.880456][T20309] binder: 20306:20309 transaction failed 29189/-3, size 24-8 line 3147
[  445.890410][   T12] binder: undelivered TRANSACTION_COMPLETE
[  445.913930][   T12] binder: send failed reply for transaction 1136, target dead
17:34:13 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0xc020660b)

17:34:13 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x48, 0x0, 0x0})

17:34:13 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = syz_open_dev$dspn(&(0x7f0000000080)='/dev/dsp#\x00', 0xa7c000000000, 0xdce2d8c7f643e3a)
r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000100)='IPVS\x00')
sendmsg$IPVS_CMD_SET_CONFIG(r1, &(0x7f0000000200)={&(0x7f0000000240)={0x10, 0x0, 0x0, 0x2000080}, 0xc, &(0x7f00000001c0)={&(0x7f0000000140)=ANY=[@ANYBLOB='h\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="08002abd7000ffdbdf250c00000008000400000000b50600000800060007000000080004000500000034000200080008000900000008000800090000000800057f0000000800030001000000080005000000000008000b000200000000"], 0x68}}, 0x840)
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r3}], 0x1, 0x100000001)
ioctl$EVIOCGABS0(r1, 0x80184540, &(0x7f0000000280)=""/198)

[  445.976708][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:13 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  446.130534][T20611] binder: 20565:20611 ioctl c0306201 200001c0 returned -14
17:34:13 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
socket$caif_stream(0x25, 0x1, 0x3)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  446.171798][T20717] binder_alloc: binder_alloc_mmap_handler: 20565 20001000-20004000 already mapped failed -16
17:34:13 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  446.244868][T20611] binder: BINDER_SET_CONTEXT_MGR already set
[  446.280055][T20611] binder: 20565:20611 ioctl 40046207 0 returned -16
[  446.301287][T20742] binder_alloc: 20565: binder_alloc_buf, no vma
[  446.333621][T20717] binder: 20565:20717 ioctl c0306201 200001c0 returned -14
17:34:13 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7fffffffefff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  446.359325][   T12] binder: release 20565:20611 transaction 1142 out, still active
[  446.368730][T20742] binder: 20565:20742 transaction failed 29189/-3, size 24-8 line 3147
[  446.382911][   T12] binder: unexpected work type, 4, not freed
17:34:13 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x9000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  446.408727][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:13 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x4c, 0x0, 0x0})

[  446.453092][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  446.490246][   T12] binder: send failed reply for transaction 1142, target dead
17:34:13 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = syz_open_dev$usb(&(0x7f0000000080)='/dev/bus/usb/00#/00#\x00', 0x101, 0x80000)
getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(0xffffffffffffff9c, 0x84, 0x1f, &(0x7f00000000c0)={<r3=>0x0, @in={{0x2, 0x4e20, @loopback}}, 0x1, 0x5}, &(0x7f0000000180)=0x90)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r2, 0x84, 0x70, &(0x7f00000001c0)={r3, @in={{0x2, 0x4e23, @rand_addr=0x2}}, [0x4, 0x1d3, 0x7ff, 0x6, 0x80000000, 0x5, 0x0, 0xf1, 0x7f, 0x4, 0x9, 0x3f, 0x4, 0x800, 0x7fff]}, &(0x7f00000002c0)=0x100)
openat$rtc(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rtc0\x00', 0x40080, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:13 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
socket$isdn_base(0x22, 0x3, 0x0)
r2 = syz_genetlink_get_family_id$SEG6(&(0x7f00000000c0)='SEG6\x00')
sendmsg$SEG6_CMD_SET_TUNSRC(r1, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f0000000180)={&(0x7f0000000100)={0x48, r2, 0x1, 0x70bd26, 0x25dfdbfb, {}, [@SEG6_ATTR_SECRET={0x10, 0x4, [0x4, 0x3, 0xffff]}, @SEG6_ATTR_DST={0x14, 0x1, @ipv4={[], [], @dev={0xac, 0x14, 0x14, 0x22}}}, @SEG6_ATTR_DSTLEN={0x8, 0x2, 0x3}, @SEG6_ATTR_DSTLEN={0x8, 0x2, 0x100000001}]}, 0x48}, 0x1, 0x0, 0x0, 0x4}, 0x4000001)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  446.574661][T20960] binder: 20958:20960 ioctl c0306201 200001c0 returned -14
17:34:13 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  446.622163][T20965] binder_alloc: binder_alloc_mmap_handler: 20958 20001000-20004000 already mapped failed -16
[  446.647117][T20960] binder: BINDER_SET_CONTEXT_MGR already set
[  446.685094][T20960] binder: 20958:20960 ioctl 40046207 0 returned -16
[  446.712993][   T12] binder: release 20958:20960 transaction 1149 out, still active
[  446.722640][T20965] binder_alloc: 20958: binder_alloc_buf, no vma
[  446.733730][   T12] binder: unexpected work type, 4, not freed
[  446.757828][T20965] binder: 20958:20965 transaction failed 29189/-3, size 24-8 line 3147
[  446.771157][   T12] binder: undelivered TRANSACTION_COMPLETE
[  446.797133][   T12] binder: send failed reply for transaction 1149, target dead
17:34:14 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = syz_open_dev$vcsa(&(0x7f0000000080)='/dev/vcsa#\x00', 0x11b, 0x400)
r3 = gettid()
write$FUSE_LK(r2, &(0x7f00000000c0)={0x28, 0x0, 0x4, {{0x9, 0x0, 0x0, r3}}}, 0x28)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
syz_open_dev$vbi(&(0x7f0000000100)='/dev/vbi#\x00', 0x3, 0x2)

17:34:14 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio\x00', 0x20000, 0x0)
getsockopt$inet_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x1a, &(0x7f00000000c0)=ANY=[@ANYRES32=<r2=>0x0, @ANYBLOB="30000040899d97bcb60e80374f81ad37bb83d400000000000000008b98d2708204e5358926bbce2688148a9a1465c040389d7a00"], &(0x7f0000000100)=0x38)
setsockopt$inet_sctp_SCTP_CONTEXT(r1, 0x84, 0x11, &(0x7f0000000140)={r2, 0x3}, 0x8)
openat$rtc(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:14 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x60, 0x0, 0x0})

[  446.832258][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:14 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x940000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  446.922861][T21182] binder: 21179:21182 ioctl c0306201 200001c0 returned -14
17:34:14 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  446.988480][T21205] binder_alloc: binder_alloc_mmap_handler: 21179 20001000-20004000 already mapped failed -16
17:34:14 executing program 1:
r0 = epoll_create1(0x80000)
socketpair(0xa, 0x800, 0x4f58, &(0x7f0000000280)={<r1=>0xffffffffffffffff})
ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f0000000440)={'vcan0\x00', <r2=>0x0})
fstat(r0, &(0x7f0000000480)={0x0, 0x0, 0x0, 0x0, <r3=>0x0})
setsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000000500)={{{@in6=@rand_addr="5032aafc7c496a3f30aa8bc9addf9dcb", @in6=@mcast2, 0x4e20, 0x3, 0x4e22, 0x2, 0xa, 0x80, 0x20, 0xef, r2, r3}, {0x7, 0x4, 0x2, 0x1f, 0x9, 0x4, 0xfff, 0x6}, {0x4, 0x9, 0x5ce0}, 0x1b93, 0x6e6bbf, 0x2, 0x0, 0x2}, {{@in=@local, 0x4d5, 0x33}, 0x2, @in=@remote, 0x3502, 0x2, 0x0, 0x5, 0x20, 0xfffffffffffffffa, 0x91}}, 0xe8)
ioctl$FIGETBSZ(r0, 0x2, &(0x7f0000000100))
r4 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r4, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r5 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000140)='/dev/rtc\x00', 0x1, 0x0)
poll(&(0x7f0000000000)=[{r5}], 0x1, 0x100000001)
setxattr(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000200)=@known='security.apparmor\x00', &(0x7f0000000240)='-\x00', 0x2, 0x2)
getsockopt$sock_cred(r4, 0x1, 0x11, &(0x7f0000000080)={<r6=>0x0}, &(0x7f00000000c0)=0xc)
fcntl$setownex(r5, 0xf, &(0x7f0000000180)={0x1, r6})
epoll_create(0x3)

[  447.070480][T21182] binder: BINDER_SET_CONTEXT_MGR already set
17:34:14 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  447.111398][T21182] binder: 21179:21182 ioctl 40046207 0 returned -16
[  447.147105][T21376] binder_alloc: 21179: binder_alloc_buf, no vma
17:34:14 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0x20000, 0x0)
setsockopt$kcm_KCM_RECV_DISABLE(r2, 0x119, 0x1, &(0x7f0000000080)=0x9f6b, 0x4)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  447.179534][T21205] binder: 21179:21205 ioctl c0306201 200001c0 returned -14
[  447.222869][T21376] binder: 21179:21376 transaction failed 29189/-3, size 24-8 line 3147
[  447.233781][   T12] binder: send failed reply for transaction 1155 to 21179:21182
17:34:14 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  447.266794][   T12] binder: undelivered TRANSACTION_COMPLETE
[  447.297707][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:14 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x68, 0x0, 0x0})

[  447.337836][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:14 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
pipe(&(0x7f0000000080)={<r2=>0xffffffffffffffff})
ioctl$SNDRV_RAWMIDI_IOCTL_PVERSION(r2, 0x80045700, &(0x7f00000000c0))

[  447.437812][T21604] binder: 21592:21604 ioctl c0306201 200001c0 returned -14
17:34:14 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
fsetxattr$trusted_overlay_origin(r0, &(0x7f0000000140)='trusted.overlay.origin\x00', &(0x7f0000000180)='y\x00', 0x2, 0x3)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = accept(r0, 0x0, &(0x7f0000000000))
ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000100)=0x7ff)
getsockopt$inet6_buf(r2, 0x29, 0x2b, &(0x7f0000000080)=""/49, &(0x7f00000000c0)=0x31)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  447.490845][T21616] binder_alloc: binder_alloc_mmap_handler: 21592 20001000-20004000 already mapped failed -16
[  447.522322][T21604] binder: BINDER_SET_CONTEXT_MGR already set
[  447.528578][T21604] binder: 21592:21604 ioctl 40046207 0 returned -16
17:34:14 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  447.546770][T21616] binder_alloc: 21592: binder_alloc_buf, no vma
[  447.554373][T21616] binder: 21592:21616 transaction failed 29189/-3, size 24-8 line 3147
[  447.590189][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:14 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x6c, 0x0, 0x0})

[  447.639813][    C1] net_ratelimit: 17 callbacks suppressed
[  447.639821][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  447.642682][   T12] binder: send failed reply for transaction 1162 to 21592:21604
[  447.645630][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  447.676125][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:15 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x9000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  447.720491][T21754] binder: 21748:21754 ioctl c0306201 200001c0 returned -14
[  447.752572][T21797] binder_alloc: binder_alloc_mmap_handler: 21748 20001000-20004000 already mapped failed -16
17:34:15 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000080)="0adc1f123c12a41d88b070e1820d9f84c514fba15fe367e75a645b772920530bbd961469b13643d3e9426bf569f19702987cd8a87f290b0dda9ca2e5fe9da0872f4b8740c328841655729c05139d601ed557d5c7ca7f39fcfa42a7428cde1259782d46e18b223cf4fe565002dddf5ea0346bb28e2f539696819febd4a9d15443f847c784a44d80c81a8a4ac665e0ebb357ac2163dc63e7b6af0811eaac0fba8b3cf4bec9dabd870460f2f120deadd8dd4499c59eb0cd7b667869cfd526bbd7d4ce4320560452d27b3bfad7c58b94079a53c441ac5de4d19d5611e75908b99359c45410bb2e0f35d4f0418df03b90eb693d7caa07cdbed8eb24eefceb4fb945e2ca6b9f404be677718f4e51ad689d1e7e221aec5cea6a56f3e9")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  447.797368][T21754] binder: BINDER_SET_CONTEXT_MGR already set
[  447.830309][T21754] binder: 21748:21754 ioctl 40046207 0 returned -16
17:34:15 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = syz_open_dev$usb(&(0x7f00000000c0)='/dev/bus/usb/00#/00#\x00', 0x68, 0x20000)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_INFO(r1, 0xc0bc5310, &(0x7f0000000100))
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)
r3 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0xffffffffffffff8a, 0x191000)
ioctl$PPPIOCGNPMODE(r3, 0xc008744c, &(0x7f0000000080)={0xc223, 0x3})

17:34:15 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x20000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  447.865007][T21836] binder_alloc: 21748: binder_alloc_buf, no vma
[  447.922288][T21797] binder: 21748:21797 ioctl c0306201 200001c0 returned -14
[  447.956804][   T12] binder: release 21748:21754 transaction 1168 out, still active
17:34:15 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xd000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  447.965719][T21836] binder: 21748:21836 transaction failed 29189/-3, size 24-8 line 3147
[  447.975337][   T12] binder: unexpected work type, 4, not freed
[  447.996423][   T12] binder: send failed reply for transaction 1168, target dead
17:34:15 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0x20004, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  448.039803][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  448.045718][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:15 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
inotify_init1(0x800)

17:34:15 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x74, 0x0, 0x0})

17:34:15 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  448.199919][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  448.205837][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  448.219818][T22075] binder: 22057:22075 ioctl c0306201 200001c0 returned -14
17:34:15 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x30710000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  448.275522][T22184] binder_alloc: binder_alloc_mmap_handler: 22057 20001000-20004000 already mapped failed -16
17:34:15 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
prctl$PR_SET_MM_MAP_SIZE(0x23, 0xf, &(0x7f00000000c0))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$sock_SIOCGIFCONF(r0, 0x8912, &(0x7f0000000080)=@buf)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  448.351283][T22075] binder: BINDER_SET_CONTEXT_MGR already set
[  448.366884][T22075] binder: 22057:22075 ioctl 40046207 0 returned -16
[  448.406037][T22273] binder_alloc: 22057: binder_alloc_buf, no vma
17:34:15 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='io.stat\x00', 0x0, 0x0)
r2 = openat$cgroup_ro(r1, &(0x7f00000000c0)='cpuacct.usage_all\x00', 0x0, 0x0)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
write$binfmt_script(r0, &(0x7f0000000180)=ANY=[@ANYBLOB="2321202e2f66696c65302000206d696d655f746576626f786e6574300a5e9f8606c1db962f3e905833776da0b5a4d9aa5879afe546663f429860678e45606c4a2ad2cdcb80d3f9f3dbf9580d9ef704a2ea51caa53ea3138d2e3ab9a52d86699ccf09975054e1000035f14acc91d7cf92a0806af4f25493f956"], 0x24)
recvfrom$rxrpc(r2, &(0x7f0000000100)=""/29, 0x1d, 0x2000, &(0x7f0000000140)=@in4={0x21, 0x0, 0x2, 0x10, {0x2, 0x4e21, @rand_addr=0x2}}, 0x24)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

[  448.452652][T22184] binder: 22057:22184 ioctl c0306201 200001c0 returned -14
[  448.477566][   T12] binder: release 22057:22075 transaction 1175 out, still active
[  448.491707][T22273] binder: 22057:22273 transaction failed 29189/-3, size 24-8 line 3147
17:34:15 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x14000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  448.510027][   T12] binder: unexpected work type, 4, not freed
[  448.516139][   T12] binder: send failed reply for transaction 1175, target dead
17:34:15 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
lsetxattr$security_evm(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='security.evm\x00', &(0x7f0000000280)=ANY=[@ANYBLOB="da93962b5902ee12eec1adb772aab06bf6b3a294bc18cdea9a6787fba5c977be6f1ede04536509dca126f9a6375c41b7e831285019eb1ba7b7a6934bc6c09b4127867f344b8418b0f040b2b104bc08271b2db1a051aa27f9d45fd8d40770d715bc1deb183f47db5cb0c98d7236a3ec51fb3fd6c0ab2cb4ecce5adb1f145f83b0f00ce5f386c478cc43adec199a9aa2ccf5ac8d5b57bb24af1acdd1ffffff2a1e41c8b6e5b8a5ffffffffff9a1a3a4f33"], 0x13, 0x2)
ioctl(r0, 0x8, &(0x7f00000001c0)="0ac31f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$FICLONE(r1, 0x40049409, r0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = syz_open_dev$vbi(&(0x7f0000000100)='/dev/vbi#\x00', 0x3, 0x2)
open(&(0x7f0000000180)='./file0\x00', 0x880, 0x40)
ioctl$DRM_IOCTL_SET_VERSION(r2, 0xc0106407, &(0x7f0000000140)={0x3, 0x4, 0x61deb505})

17:34:15 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x7a, 0x0, 0x0})

17:34:15 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x507e0100000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  448.679829][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  448.685648][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  448.743821][T22470] binder: 22435:22470 ioctl c0306201 200001c0 returned -14
17:34:16 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  448.792136][T22542] binder_alloc: binder_alloc_mmap_handler: 22435 20001000-20004000 already mapped failed -16
17:34:16 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x200, &(0x7f0000000080)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000100)='/dev/rtc\x00', 0x10481, 0x0)
syz_open_dev$evdev(&(0x7f0000000040)='/dev/input/event#\x00', 0x9, 0x113200)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
ioctl$FS_IOC_GETFLAGS(r0, 0x80086601, &(0x7f0000000000))

[  448.852010][T22470] binder: BINDER_SET_CONTEXT_MGR already set
17:34:16 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl(r1, 0x101, &(0x7f0000000080)="c274f3155ed638f5a1a5a3259bb6fff9718b66ef5af4753ad81fe7f078764a26f62e39954b2e2f761619eb240e44f8a739b8c770d6b1154a422b82f3ab85880652b0687652be4fa1c1e006427d328c89a917c5791df2ca19fb46a322acfafccafc931609d4ddf9fc49f5291a3380c387e5914b697fefed2ebdd1f16428a0c9444840804a732dc36557d3de430db836e28ae3606452b0a0a6725fa0366a0d0cbd9ddc644414caf75e0f7f2fac305606611541")
ioctl$EXT4_IOC_PRECACHE_EXTENTS(r1, 0x6612)
poll(&(0x7f0000000000), 0x0, 0x100000001)
bpf$OBJ_GET_PROG(0x7, &(0x7f0000000180)={&(0x7f0000000000)='./file0\x00', 0x0, 0xd5568d75e0a24861}, 0x9)

[  448.897853][T22470] binder: 22435:22470 ioctl 40046207 0 returned -16
[  448.927647][T22600] binder_alloc: 22435: binder_alloc_buf, no vma
[  448.946898][T22542] binder: 22435:22542 ioctl c0306201 200001c0 returned -14
17:34:16 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x70800100000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:16 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x19000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  449.017093][T22600] binder: 22435:22600 transaction failed 29189/-3, size 24-8 line 3147
[  449.043978][   T12] binder: send failed reply for transaction 1182 to 22435:22470
17:34:16 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x300, 0x0, 0x0})

17:34:16 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = syz_open_dev$vcsa(&(0x7f0000000100)='/dev/vcsa#\x00', 0x100000000, 0x0)
ioctl$KDSKBLED(r1, 0x4b65, 0x51)
r2 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x100, 0x0)
ioctl$PIO_FONTX(r2, 0x4b6c, &(0x7f0000000080)="4ea041368ab16b827d3270e7cf13b453c831a9e796d950c43cb8671f8eb9c54db121aaa1e13f08caa991ab8cea68d5ce0c32dd7fd6930f9a4796c80ed9225ad9c5bee6d158864c1baa94a4")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

17:34:16 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwrng\x00', 0x40000, 0x0)
signalfd4(r2, &(0x7f0000000100)={0x6}, 0x8, 0x80800)

[  449.254708][T22820] binder: 22818:22820 ioctl c0306201 200001c0 returned -14
17:34:16 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xd000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  449.296407][T22842] binder_alloc: binder_alloc_mmap_handler: 22818 20001000-20004000 already mapped failed -16
17:34:16 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1a000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  449.354680][T22820] binder: BINDER_SET_CONTEXT_MGR already set
[  449.384752][T22820] binder: 22818:22820 ioctl 40046207 0 returned -16
17:34:16 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/btrfs-control\x00', 0x80000, 0x0)
ioctl$PPPOEIOCSFWD(r1, 0x4008b100, &(0x7f0000000100)={0x18, 0x0, {0x0, @random="ba802299be23", 'veth1_to_bond\x00'}})
ioctl(r0, 0x1000008913, &(0x7f0000000080)="0adc1f123c12a41d88b070")
setsockopt$inet_msfilter(r0, 0x0, 0x29, &(0x7f0000000000)={@local, @dev={0xac, 0x14, 0x14, 0x29}, 0x1, 0x1, [@local]}, 0x14)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

[  449.419530][T22978] binder_alloc: 22818: binder_alloc_buf, no vma
[  449.452791][T22842] binder: 22818:22842 ioctl c0306201 200001c0 returned -14
[  449.479881][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  449.479920][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  449.503856][   T12] binder: release 22818:22820 transaction 1189 out, still active
[  449.512468][T22978] binder: 22818:22978 transaction failed 29189/-3, size 24-8 line 3147
17:34:16 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000001100)='/proc/capi/capi20ncci\x00', 0x24c40, 0x0)
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r1, 0x40605346, &(0x7f0000001140)={0x1f, 0x2, {0x3, 0x0, 0x100000001, 0x0, 0x1f}})
r2 = syz_open_dev$audion(&(0x7f0000000080)='/dev/audio#\x00', 0x4, 0x14842)
accept4$alg(r2, 0x0, 0x0, 0x80000)
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r3}], 0x1, 0x100000001)
ioctl$sock_SIOCGIFBR(r2, 0x8940, &(0x7f00000000c0)=@generic={0x3, 0x102, 0xffff})
r4 = semget(0x2, 0x0, 0x0)
ioctl$KVM_IRQFD(r2, 0x4020ae76, &(0x7f00000011c0)={r1, 0x9, 0x5, r2})
semctl$GETALL(r4, 0x0, 0xd, &(0x7f0000000100)=""/4096)
ioctl$KDENABIO(r2, 0x4b36)

[  449.524708][   T12] binder: unexpected work type, 4, not freed
[  449.541454][   T12] binder_release_work: 3 callbacks suppressed
[  449.541459][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:16 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x500, 0x0, 0x0})

17:34:16 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80ffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  449.607873][   T12] binder: send failed reply for transaction 1189, target dead
17:34:17 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$FS_IOC_GETFSLABEL(r0, 0x81009431, &(0x7f00000005c0))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = syz_open_dev$dspn(&(0x7f0000000100)='/dev/dsp#\x00', 0x9, 0x40000)
r3 = syz_genetlink_get_family_id$tipc2(&(0x7f00000003c0)='TIPCv2\x00')
sendmsg$TIPC_NL_MON_PEER_GET(r2, &(0x7f0000000580)={&(0x7f0000000380), 0xc, &(0x7f0000000540)={&(0x7f0000000400)={0x140, r3, 0x400, 0x70bd2a, 0x25dfdbfd, {}, [@TIPC_NLA_LINK={0x30, 0x4, [@TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}]}, @TIPC_NLA_MEDIA={0xf0, 0x5, [@TIPC_NLA_MEDIA_PROP={0x24, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x1}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4}]}, @TIPC_NLA_MEDIA_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1c}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x34, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1c}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x2}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x2}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x4}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_PROP={0x3c, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x4}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_PROP={0x14, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x400000000000000}]}]}, @TIPC_NLA_MON={0xc, 0x9, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x39}]}]}, 0x140}, 0x1, 0x0, 0x0, 0x404c804}, 0x4000014)
r4 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vga_arbiter\x00', 0x181481, 0x0)
r5 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000240)='IPVS\x00')
sendmsg$IPVS_CMD_ZERO(r4, &(0x7f0000000200)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f00000001c0)={&(0x7f0000000140)={0x78, r5, 0x200, 0x70bd2d, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x2}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0xfff}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x3}, @IPVS_CMD_ATTR_DEST={0x40, 0x2, [@IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@remote}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x101}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x3f}, @IPVS_DEST_ATTR_FWD_METHOD={0x8}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x9}]}, @IPVS_CMD_ATTR_DAEMON={0xc, 0x3, [@IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x3}]}]}, 0x78}, 0x1, 0x0, 0x0, 0x8000}, 0x40000)
syz_open_dev$mouse(&(0x7f0000000000)='/dev/input/mouse#\x00', 0xfff, 0x100)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  449.703151][T23182] binder: 23162:23182 ioctl c0306201 200001c0 returned -14
17:34:17 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1d000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:17 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x14000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  449.753615][T23182] binder: BINDER_SET_CONTEXT_MGR already set
[  449.793202][   T12] binder: release 23162:23182 transaction 1196 out, still active
17:34:17 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000100)='/dev/rtc\x00', 0x140, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
fsetxattr$trusted_overlay_nlink(r0, &(0x7f0000000080)='trusted.overlay.nlink\x00', &(0x7f00000000c0)={'U-', 0xffffffff80000000}, 0x28, 0x2)

[  449.803694][T23182] binder: 23162:23182 ioctl 40046207 0 returned -16
[  449.824271][   T12] binder: unexpected work type, 4, not freed
[  449.850056][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:17 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x600, 0x0, 0x0})

[  449.881573][   T12] binder: send failed reply for transaction 1196, target dead
17:34:17 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000001c0))
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0ae1ced6e9f74f3a651fc5")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_ALM_READ(r1, 0x80247008, &(0x7f0000000000))
setsockopt$IP_VS_SO_SET_TIMEOUT(r0, 0x0, 0x48a, &(0x7f0000000200)={0x800, 0x800}, 0xc)
getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000080)={{{@in6=@loopback, @in=@dev}}, {{@in=@multicast2}, 0x0, @in6=@mcast2}}, &(0x7f0000000180)=0xe8)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  450.012977][T23420] binder: 23404:23420 ioctl c0306201 200001c0 returned -14
[  450.063599][T23420] binder: BINDER_SET_CONTEXT_MGR already set
17:34:17 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = syz_open_dev$sndpcmc(&(0x7f0000000080)='/dev/snd/pcmC#D#c\x00', 0x0, 0x40000)
ioctl$VIDIOC_S_FBUF(r1, 0x4030560b, &(0x7f0000000180)={0x6c, 0x50, &(0x7f00000000c0)="68cf6d62a6fbaf45f2ba59c93185cf7d2eb393565f39a0a8f6eb37c66992d1c88fea1ce1e82b2a9e190711d5e12518161cd126209546ce32fbce871e02e79f70d519e0cac2771f334b4b1e43e2db80d6047ab7eeb5e2c042e5eb92b36fb6cfe8c23f50872099833ff0cc67dbea1c3bc84b703938bf9bcd935f967e9315c0fe0e0d8b573f5f49792f715cd9967ed1ad2a41adf8974fb12a", {0x7, 0x3, 0x3231564e, 0x8, 0x0, 0x8001, 0xd, 0x1}})
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

17:34:17 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa0700000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:17 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x19000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  450.107093][   T12] binder: release 23404:23420 transaction 1202 out, still active
[  450.115517][T23420] binder: 23404:23420 ioctl 40046207 0 returned -16
[  450.139898][   T12] binder: unexpected work type, 4, not freed
[  450.145949][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:17 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x700, 0x0, 0x0})

[  450.196900][   T12] binder_release_work: 7 callbacks suppressed
[  450.196908][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  450.231366][   T12] binder: send failed reply for transaction 1202, target dead
[  450.287720][T23631] binder: 23623:23631 ioctl c0306201 200001c0 returned -14
[  450.335917][T23631] binder: BINDER_SET_CONTEXT_MGR already set
[  450.360463][   T12] binder: release 23623:23631 transaction 1208 out, still active
[  450.370643][T23631] binder: 23623:23631 ioctl 40046207 0 returned -16
17:34:17 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
socket$inet_tcp(0x2, 0x1, 0x0)
socket$inet_smc(0x2b, 0x1, 0x0)
ioctl(r0, 0x0, &(0x7f0000000040)="1adc1f323c1200008ab070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  450.383646][   T12] binder: unexpected work type, 4, not freed
17:34:17 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x3f000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:17 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x6, &(0x7f0000000000)="0adcb081540fc3c9166c9418949930a980899941a5b286e99e142a8f6f226b149aeb7a8712bc1e110c7a830989ef3a235837")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  450.407444][   T12] binder: undelivered TRANSACTION_COMPLETE
[  450.450082][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:17 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0xa00, 0x0, 0x0})

[  450.490303][   T12] binder: send failed reply for transaction 1208, target dead
[  450.568517][T23761] binder: 23759:23761 ioctl c0306201 200001c0 returned -14
[  450.585128][T23796] binder_alloc_mmap_handler: 3 callbacks suppressed
[  450.585146][T23796] binder_alloc: binder_alloc_mmap_handler: 23759 20001000-20004000 already mapped failed -16
[  450.602845][T23761] binder: BINDER_SET_CONTEXT_MGR already set
[  450.609118][T23761] binder: 23759:23761 ioctl 40046207 0 returned -16
17:34:17 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb0500000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  450.640796][T23796] binder_alloc_new_buf_locked: 3 callbacks suppressed
[  450.640805][T23796] binder_alloc: 23759: binder_alloc_buf, no vma
17:34:18 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ubi_ctrl\x00', 0xbcd4f6148fab2f42, 0x0)
ioctl$LOOP_GET_STATUS(r1, 0x4c03, &(0x7f0000000100))
ioctl(r0, 0x1000408913, &(0x7f00000001c0)="0adc1f123c12a41d88b07048a692849569f4def114b7316e226b0d281f6980f14feb171e0b85a1faedb83586dfa9afb241d99fcb9ad84f6366fdd2ff77a33dd609f0d9ab760c38a1bff9cdcea718841b6612d1a32faee6be9b03")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

17:34:18 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0xfffffffffffffffd, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={<r2=>r0})
getsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f00000000c0)={@ipv4={[], [], @dev={0xac, 0x14, 0x14, 0xf}}, 0x9, 0x2, 0x0, 0x8, 0x1, 0x80}, &(0x7f0000000100)=0x20)

[  450.693770][   T12] binder: release 23759:23761 transaction 1214 out, still active
[  450.710734][T23796] binder_transaction: 3 callbacks suppressed
[  450.710751][T23796] binder: 23759:23796 transaction failed 29189/-3, size 24-8 line 3147
[  450.735369][   T12] binder: unexpected work type, 4, not freed
17:34:18 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1a000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  450.769812][   T12] binder: undelivered TRANSACTION_COMPLETE
[  450.775764][   T12] binder: send failed reply for transaction 1214, target dead
17:34:18 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x2000, 0x0, 0x0})

[  450.844773][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:18 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$full(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/full\x00', 0x0, 0x0)
write$UHID_CREATE2(r1, &(0x7f00000002c0)=ANY=[@ANYBLOB="0b00000073797a300200000000000000000000000000000000000000120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073797a3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073797a31000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000520005000600000000100000ff7f0000010000003c088f02b5cbd7c9382d4dbc4455a6f2fd99bd3f049e7c840d518d24dc4d566ab208080159452799a75681fed0291d819e4f766a23df0284615f560a01961aaa745dae6109beffe3564a40ecdace600ac48b7933b1771e6846d29edc00338e602c7117bbbfbee57670b4c6909b6d043ee5a1e924448c15e81c48ca5d6b4fbf0ba7449357a4a6983da3c1f8effbfc3a995e1cc172998a457a722b"], 0x16a)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0x1, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

17:34:18 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x100000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  450.975842][T24127] binder: 24116:24127 ioctl c0306201 200001c0 returned -14
17:34:18 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x40000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:18 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000080)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  451.062577][T24139] binder_alloc: binder_alloc_mmap_handler: 24116 20001000-20004000 already mapped failed -16
[  451.112187][T24127] binder: BINDER_SET_CONTEXT_MGR already set
[  451.167624][T24127] binder: 24116:24127 ioctl 40046207 0 returned -16
[  451.203851][T24273] binder_alloc: 24116: binder_alloc_buf, no vma
17:34:18 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1d000080)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:18 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x7002)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:18 executing program 1:
r0 = dup3(0xffffffffffffffff, 0xffffffffffffff9c, 0x80000)
write$FUSE_WRITE(r0, &(0x7f00000000c0)={0x18, 0x0, 0x7, {0x1a}}, 0x18)
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl$VIDIOC_G_AUDOUT(r0, 0x80345631, &(0x7f0000000140))
setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_REM(r0, 0x84, 0x65, &(0x7f0000000100)=[@in={0x2, 0x4e21, @multicast1}, @in6={0xa, 0x4e20, 0x908, @dev={0xfe, 0x80, [], 0x1b}, 0x3}], 0x2c)
ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0x1, 0x0)
poll(&(0x7f0000000000)=[{r2, 0x1102}], 0x1, 0x100000001)

[  451.233421][T24139] binder: 24116:24139 ioctl c0306201 200001c0 returned -14
[  451.279257][   T12] binder: release 24116:24127 transaction 1220 out, still active
[  451.289063][T24273] binder: 24116:24273 transaction failed 29189/-3, size 24-8 line 3147
[  451.307998][   T12] binder: unexpected work type, 4, not freed
[  451.343696][   T12] binder: undelivered TRANSACTION_COMPLETE
[  451.373630][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:18 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x3f00, 0x0, 0x0})

[  451.398825][   T12] binder: send failed reply for transaction 1220, target dead
17:34:18 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = syz_open_dev$ndb(&(0x7f0000000140)='/dev/nbd#\x00', 0x0, 0x22001)
ioctl(r0, 0xdff, &(0x7f0000000040)="0adc1f74e212200588b070")
r2 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7ff, 0x0)
ioctl$RTC_WKALM_RD(r2, 0x80287010, &(0x7f0000000080))
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(r2, 0x6, 0x16, &(0x7f00000000c0)=[@mss={0x2, 0x9}, @sack_perm, @mss={0x2, 0x8001}, @window={0x3, 0x9, 0x5}, @mss={0x2, 0x65b}], 0x5)
ioctl$RTC_AIE_OFF(r2, 0x80247009)
syz_open_dev$sndpcmc(&(0x7f0000000100)='/dev/snd/pcmC#D#c\x00', 0x3f, 0x0)
flock(r2, 0x4)
ioctl(r1, 0xff, &(0x7f0000000180)="ed4c68b24f25b032964697deb7c26ac336c647155a5a03ef83a877e7a70c0892d4d01a4a516a7a5896a02499f552ebc81261d427207c1c7819b8dbfb8d399eefed94e33c112dd56707c8bab161b5a000ed0f87b85f28abceb99eea00219ff7bc8ddf2acf271757073d79bd6b5748c6f17b01dea7497060d95dc8c3fb806060972fa14bd0232517215093e03d16051c8f310174e04b16245cc7b44932c90f7781acb3b5dff982fa1a866bed794bfa72e74f875f685995fd1ba735cc4a4ee7ef1762186251a13cacb3468647f21240fba7eedc39159510866f58dc540d9aa595c89e140848cdc5ecee7431262cb1a634fb49dbd6ac131ef8e11a0f4f8aa527bcf0041b25337cd66b6874efbc1b7bbcb0fb0577db3a62880780179044170a96f5be1704c28430e3d26bd8a610965027af9c7fe33d36ce5d871854e881ba0bc5f685f3ad6888b50195d382d5e121b055a7da9806cc7653657ab98319826dbc3a8f739eb2b50196ef683022c81bd6902a19778b43a7de6c950907e1768e95904e92a94b08b92b8ec64cf9e58683bed0439949c983b9f9f378ff53269fb04ece7999a2a4e06c64738379e2c3ea0819d958db376eb58cd5e7c65a5411becea6aa7e044e1534b3e9b62e8e04ff3e46e2ae80d918b076dd2f26ce2950c05d56cb77fcb2a80c0b5e39cd5ebf913901913af4ad2fdc6ae32310bbd58e39cae0019e950f07813759fec80ee8cd956cbfabb0901e0e11bc3300335cc80d766e5a18dc7be57646f7d613e9ad3d48b3ca66b0dc074daa34185b9e2b821671c5206a2fa5aae9e06f30d084e8aa43deee6a1244d9d6d9d606e33032ae92821a36925cf886e83d5d952600b81c9b049711ff1af73a2f26fec53ae6c70f5b9adeebd899afc3e399bced48a68ef949e6eea0a7050f84e77b16a50b1f30d9a8ab3f65b2c08210f86e3387deadc0cb27c8df071be15011046e7987b12b99cb8d1e513280adeb2ab8d01569179884b4ec3fcd98cece2926ee706f7f4ff4dbfc591608eccdc23ac6420f1708b9fb4600543ef07ae4a09a6cd1938ce4a981eca950f2bb874683345b496b2fdb8f1fc31d92b6ef14a4b8594c9908f7570997c1585e0b0474cb390afa98803671291f85a170087c54fcb54c2b1d768c652330eba8fa34ada08f1e744b819d16494921a36bf06f05e5f74796e14cdfe42a4b067c9807a324f9feb99cea0093c9da220864ae84feea8f254e7773429939620d023b1aa5a284afa2443202d024e515c9fc6af7f32e06b692e93000eb92353cd185dc5c56d0ff438829c01b4add010a5373a8e5db3d7ec13a94e232669f48cb8dab231431a28262219e4e0d4c93e21839662c30baf54e74fb9c847b54d248a0acbe76f049f546ae0f5d63ba74811aba87081f6ac3a610ee7250810a0adc59e18c73f539785491161994ef69e56a3630c515e65f2dcad47e724e9c0db425a39d901cf4abe3ed0b01d2735e03ca9d560d8cbc817886ec1003b3111bb97a7298e6e8064eac7099593cb15281c428d01f9970826ab907bac5e6a1205969f8b07a802d6c315f407fa8cfc6f8e52cf053611c8349cf8b80d43991b8a96a2c090fa4860e223cc077927459e93e2bf358b9df313920ece957ed554e1652203a4f7a58fd716727ed0e64f42621c18edbe9cb02660c566e869f35bf6955cd0297f420e4e53a85223a68f674111d321aca70c4356fcc45c7bf18c9b3817d18d87d344a581cfe007588ca98e1270eab5f671411c090463ab7c0d73895eeb41ee14b358b2625dab8e2c715020bc3aff56179783e63378e4c3f1c02575badf869a6f3d85ff1e75c5fe1737e7ffd542b5d7955dec98eba3515d0e1eab185d9d0fc994c74391ca60168b8db8f8fd9ddc6edd85ec8927b52e22e06a3ea60143ddd4cbf5257b4b5c81a5c2cbbabc2420c69d57ca3d4278c0aa0f08ac31530944c8720447e35e8ab6ab345a12d97854904cac3a402ac4081cea593c4acc9f3e7710e3669486ae51e036125c9e61d058ee56d8a9da2d766c4a11e15d3175c134aeb6db7a2dabbcef54d6d89ee752ac42ebd23f1b8032abefa06ee9e34a73853859a5f95a65d63aa26427108606d629c7956c6b01aa9a21960211869f869b7d04f73103eab4afa4a4d911623970e91d77b1e17743a2b2837957a99839dbe0594c446589128c719c10af1e2b26070bf84ba7d4c4776f286ba782b4e898f9b69cdf3f8f1b0d9ce27266a3b79ac061ad73160943734b60ecd8ff4a4ae21d27b81a07e4b2d47f7e33a217307c5d8687ff77c772dd2ccb5a5bc8ee57ade01bc59858040b55b05e330c878c51c27959c6db0203166c0e6240f1c8cf5382734be281aa788fd16e67c1e75452769d5f4403546223098c38ffa9119897f8e85ccded0a1e2eb2f06c6f3965352e6f10e4f74149605e310e453e4932e1cea79973c146f4a6355e7678d1dc213cf4508292a5fab3aacac6ed88a89ff1643db60635df1b85ab8ea8fa8e6ea6a23fb17d1893f5607cdacf770359f1a9516fcb05ae884aa37435041d1ec1a0c2f4b0c1dd0ffbbbd05b479a5e178725c988b4e31d636aa7178397206389525c5aa3ddfd6762cc4125a344af401a35018eedfe7b7b175316cdd536d2014b3187fec9af4b4cf5c90e8e87e8c642d418fc170219d59025404f56bd65329709778c08d04ae7541d9bf743ad882d56c13d45bc1f95633fa32f876871f36fa01635a3398493832f7a0df0f4db8f3854eeaee4445b1f0970a97dc982a955a600de583e15246ce5299ebb1878a92e3ef55058269c8bedf5c87e298138a442b526b3028d2197cda879dbe3969acf493681faa0c90ca02949deb9ceed7289f211dbaa442d3f3e434473d852c440ebde99d581a4689c2d0e89c36e65d57b31b17986528d879d5630c4a1de4d7f9d4fb720e64c2a51e36ee46130b6f3463f658391405771ecfc043b290a2df9717d315b2c9cde8b0ce67c49d01eedf252dc92b83be05404e9b12382d79cdd40d40fdb5cf8c3789ee43a724306e4e52fa4eee7d42d2bcbf6956da322b8e3cb4b575b4f091d075b70e6b47477ddac4ca695bdd07cb7bc61ceca282e76391ada738134db87fca31351a6901273edce118735b90ee363fb396e2d17e6725f75ce2005b8fa70d8833da9a289ee02b48309ba70b0c0ad3984a5be9b2324183fc841c7e06c3aa769212515538eea67112aed27d6284537d907e06272b050f2afd73dfdc231d4bd0bae14a9ed4ec7c63c3cd0964fde5f1a918a31e0edddc14b7d9ab865a71eeb8fe287cb80c6ca8f24d86e25af9464338505976f2e0673105334f3c36cfe09da305a7ec8f001ee6041e12f300d04f728b004272b4d21bf263dc6e8b2e362cfa7622f3f4a45ae3b10fe98861517e44844ef6a07852951d8fb441016e0a10ff036723244b2f1b01e2296302c5e6262dae27f7c9669b7cb9a8271ef30688dcc38f28fccd1e1634da816a9e1507de131666bad9947e49b50603f5dc0d3972015cd91d526380425752f31bc0274c61d76b32e2d07d1fab9b282d4d556c22f00fe1e38edf3fab1eb6aaab88747d2e7c920525f9a478f56c85ed8127d869b38ee2ca1a77d9cc7b6c4a6cdcf5a634954f7707b878acde9f652cf01abacefdae7e90ee90c9e0fe1e2588d79bbc713ebb4399e4b6190a6959a58b26e88279eb451cc4a53bd7a070048382aa69c5a31eec2a0ef880bec1bf4c2f63f4021a4b5b982044df0d5b29585db83d94ecdaff1255e885ea47120e871ccd1e3047be5a076c384b533ff65d5b621d70cc0cd6c84d70a26d07583c7c289b6affdb4494b906e15dfefa4361f0c4b21769e47e45280cd32bb6a6ee13e7010d6db24613afe36be9141e11cb3546111e6d8d5c2b33642a6033c1efd91cf00f22e99931851eaafcdc01d68b5bc3b346342e17e370aa271a378c4bede9af09a65b98c039910f1a2124678fe0bea4c4d5ae0fd58615bf03b98126e972b950b68c625d3ec8d301ed021695aa07aec500dfb83a8dcbd04603fe9856899cf963612a5a07d7ba181eb8f55a3a495d8f2dab1cbbaedd79cc5a9427bdc27e48f9b9681e762bae88b993c216fec94d2c445079a30aeb034f7066dd1864fc1e2ad0b674cc776b9619a9a3b3ab98b05a74a2453b8b40283ac62295443c61657f8e8b8f50d44e4385a1d23f25048440820aab5de468b89c88e5df63a7ad06b2ad708643a3627885325b475ab4b33b0a57b11d1107dca668516356fc3745bd6758a260c2d6bf63b38b1d116d34d3347133c457fc403b3e3eeb7b5ae82170e3022f84b2528d19e1b1e7bf0a8e9e2da3144fda15e57c28bc8f7242a330242200387df69b9738431f6316d87cf2cd3d2c8383c3900bb437cfbab031e494293a64ed01ddea7f43208b5463bb1826b326eea8386d2bd9a20d4910b283438d9ce771ed406e5634a5a189409c5fa1a5c348b5a08d98c0d285e38ac0978a7e5fc8576575d006a4f02e180836db1e0a3e648c97f5ebaef3b1b593f1ff4231d61ae16fee3195118dadaf9430cc4e22499c808958260bbb662b005457d1edef67755d112f923802c96c1d30981b908bff2bbf3fce4b91baccaf9b001bb51a1f35476c0a9bc0f49fc42c9823aac4989822b003a37d08bb9899bd1e38ddd48097f3d9bba575a2788c00d325dca53d19301014ee02cde1fc72e6a3173f314a966505329b725959bb3eeefde78a966ed685f1869c0e371f4a482be2a856b0adc0420ce01d2d70ed725ddf801bd72068eb35508e90053b3a795da09dc6784ea237d4653f41eab23a95211d357ffea50a4944925eafc14e01cefe131b0a54b15fc7b11fa45f456f9f1246e9765fe841c9886b8c6c62deed107d7fcca5cfe7539601ac650e3dfde22191e51255dc0f9bc9ba5b508f103caa388e243e39ca6b420e461b7dddc43e4bd66e0474ce4a777f0559a783298c5bda7dbe7c534210281b9c6b01f1dd43243bec756270417b126cb1cfc3c2e9f204baf63597e5ffb7d94be48abb2e66ed6509fd974628e9926c7b627652d619de3fe5f8ad23e9e43cdd792d23f993b8c2f5b47a5282b58a068fc463a6dec0bae5d67db00bd84ff5d98df2e7d22c8229cb59768fc2aa0b01a10c0a3bcad1af41b4529fa3b1ca5920bb59150be4461e71fe73076abf2cb02db7a82936614162046de4ff0215ab079a5d3c8d184ced74b780b0facbf769964c5e29b7c83843a4ece28bc9f263a3529eae2ea2f1fb6cffb6a6c6ccefed67ff0fc55a3bb6511ad318352ca51b8fbdbeb462251f4d4cfee9ec768229eaa7e559e4da53abde6ee7c041267aded86f2ed7fab2d4371790d8074b81f2d1ab84636c815b185ff7ba7540566adb19269b681325d46d12afe3a5dea459e1364f07c2449493e8a69a07d357aeef458b14b8fd72283ee93d6951ddc8332b0ed21dfb76900715d4f80ab9232452f7914046341f31518b2144de83db252cc481977150cf04e81883518b80f4dd85cc496131285b68293a7fe08bd2beab6be629f4182fb19d7ffc61972f3bf45b0c74cc5504dca5cfc76de8f3c09c6774fe77c63eba4003a8ee24f3ab649e3e7410c5b7cf4414234c3fa30fd7770a4424c21a52783b4f42236d75ce978e274bfb90bbe101464c8e05c58714fc738ab7591403e7673b3cacf23eb2082f6991df5c98aec583f8e8ba0163388bb272908d8c20869519f11e59a536e3f49ec0831d4469296f024e2b50083c69afaf60a41f847d534dfcaa0badbdef357037cd0a3334eee00319c57446fb0fffd6f6ecb684b11bed3a1c")

[  451.458140][T24504] binder: 24474:24504 ioctl c0306201 200001c0 returned -14
[  451.496341][T24561] binder_alloc: binder_alloc_mmap_handler: 24474 20001000-20004000 already mapped failed -16
17:34:18 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x100004000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:18 executing program 1:
socket$inet_udplite(0x2, 0x2, 0x88)
socketpair(0x5, 0x7, 0x3f, &(0x7f00000003c0)={<r0=>0xffffffffffffffff})
getsockopt$inet_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x1a, &(0x7f0000000400)={<r1=>0x0, 0xbf, "f391c123fec3fa638d52933448a3403936122e2277fd5af8c9dcdc62e89290795175fe1be808c35383cc3283eb29643b04f48ced7f80d426cc4bd475cad0e4170a4632fb4e2ae0ede73625d4cd74dae07d4eea28d5677328c1c607e84c9a693117a85b8488dac468fe1236270cca5f56d1e111830aaba7f587a53eb311a4cc290b2d117a0dd55cf998c9fb5aaf091b161ce0c8ecf2d5b09e9aec7d8fda2563a68acf2f4b1ab32f8b61357fcf71aca6c8ee328bbc0a6168212caba2d99fc501"}, &(0x7f0000000500)=0xc7)
setsockopt$inet_sctp_SCTP_RECVRCVINFO(r0, 0x84, 0x20, &(0x7f00000005c0)=0x1, 0x4)
getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(r0, 0x84, 0x75, &(0x7f0000000540)={r1}, &(0x7f0000000580)=0x8)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r3 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/net/ipv4/vs/pmtu_disc\x00', 0x2, 0x0)
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r3, 0xc08c5335, &(0x7f00000000c0)={0x0, 0x4, 0x1a9, 'queue1\x00', 0x3})
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
r4 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00')
sendmsg$IPVS_CMD_SET_INFO(r3, &(0x7f0000000380)={&(0x7f0000000180), 0xc, &(0x7f0000000340)={&(0x7f0000000200)={0x130, r4, 0x728, 0x70bd26, 0x25dfdbff, {}, [@IPVS_CMD_ATTR_SERVICE={0x24, 0x1, [@IPVS_SVC_ATTR_PORT={0x8, 0x4, 0x4e23}, @IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'rr\x00'}, @IPVS_SVC_ATTR_AF={0x8}, @IPVS_SVC_ATTR_AF={0x8, 0x1, 0xa}]}, @IPVS_CMD_ATTR_DEST={0x14, 0x2, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x5}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x35fb}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, [@IPVS_SVC_ATTR_TIMEOUT={0x8, 0x8, 0xe4}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0xe, 0x4}}, @IPVS_SVC_ATTR_TIMEOUT={0x8, 0x8, 0x4}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@loopback}, @IPVS_SVC_ATTR_PE_NAME={0x8, 0xb, 'sip\x00'}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x2}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x6}]}, @IPVS_CMD_ATTR_DEST={0x58, 0x2, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xb9e}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x6}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7f}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x9}, @IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv4=@remote}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x1}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x6}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x5}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfffffffffffffffa}]}, @IPVS_CMD_ATTR_SERVICE={0x38, 0x1, [@IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x2, 0x20}}, @IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'sh\x00'}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x3}, @IPVS_SVC_ATTR_PROTOCOL={0x8, 0x2, 0xff}, @IPVS_SVC_ATTR_PROTOCOL={0x8, 0x2, 0xbf}, @IPVS_SVC_ATTR_PORT={0x8, 0x4, 0x4e22}]}]}, 0x130}, 0x1, 0x0, 0x0, 0x20000000}, 0x84)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$KVM_DEASSIGN_DEV_IRQ(r3, 0x4040ae75, &(0x7f0000000600)={0x4, 0x53, 0x8000, 0x201})

17:34:18 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x40000001)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  451.525496][T24504] binder: BINDER_SET_CONTEXT_MGR already set
[  451.556106][T24504] binder: 24474:24504 ioctl 40046207 0 returned -16
[  451.624738][   T12] binder: release 24474:24504 transaction 1227 out, still active
[  451.633043][T24561] binder_alloc: 24474: binder_alloc_buf, no vma
[  451.665493][   T12] binder: unexpected work type, 4, not freed
[  451.673307][T24561] binder: 24474:24561 transaction failed 29189/-3, size 24-8 line 3147
[  451.694441][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:19 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x40000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  451.722728][   T12] binder: send failed reply for transaction 1227, target dead
17:34:19 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x4800, 0x0, 0x0})

[  451.775375][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:19 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000140)='/dev/btrfs-control\x00', 0x200000000002000, 0x0)
ioctl$BLKREPORTZONE(r2, 0xc0101282, &(0x7f00000000c0)={0x80000001, 0x1, 0x0, [{0x543d, 0x10001, 0x8000000000000000, 0x9, 0x4e4, 0x8, 0xfffffffffffffff8}]})
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:19 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
r2 = open(&(0x7f0000000000)='./file0\x00', 0x4000, 0x0)
write$UHID_INPUT2(r2, &(0x7f0000000180)=ANY=[@ANYBLOB="0c00000064000bab006876337eb5a8a560ad64f7d314a245c518317e78cc0935cebbc26468dc46ae5bcaebd546f8775045fa95b6e256dda9d789abcc22a13b1996da5c768fba29cfac1e022846a787922fd6567f6f1720884660b1314c999e5c215ad5f47749928ff9827b17db7e912067404b5eb5edbcc6f903ea7ce643464f7b40217b560697dd49a8917b617f06608def53ebb635796eab4f877c9471f7536585e6992d82d3ea30f65ef0b62a60ce97a566017b7738b9aaf9688c68ca62201454bd84cbf420ab700aedc0aacd2ad663abb465d376c5d896cc138c28f027"], 0x6a)

[  451.897686][T24786] binder: 24785:24786 ioctl c0306201 200001c0 returned -14
[  451.924119][T24791] binder_alloc: binder_alloc_mmap_handler: 24785 20001000-20004000 already mapped failed -16
[  451.935765][T24786] binder: BINDER_SET_CONTEXT_MGR already set
17:34:19 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x100008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  451.942540][T24786] binder: 24785:24786 ioctl 40046207 0 returned -16
[  451.952684][T24791] binder_alloc: 24785: binder_alloc_buf, no vma
[  451.971400][T24791] binder: 24785:24791 transaction failed 29189/-3, size 24-8 line 3147
[  452.002099][   T12] binder: release 24785:24786 transaction 1233 out, still active
17:34:19 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
clock_gettime(0x0, &(0x7f0000008d80)={<r1=>0x0, <r2=>0x0})
r3 = syz_open_dev$audion(&(0x7f0000008f80)='/dev/audio#\x00', 0x8000, 0x200000)
ioctl$VIDIOC_ENUMINPUT(r3, 0xc050561a, &(0x7f0000008fc0)={0x7, "9fa23c73b8ccf2a4a3d3ef38587c40a840c4d64ff42ff1ec08e4c8afafa62c39", 0x1, 0x38, 0x2, 0x240004, 0x800, 0xe})
recvmmsg(r0, &(0x7f0000008b80)=[{{0x0, 0x0, &(0x7f0000000100)=[{&(0x7f0000000080)=""/114, 0x72}], 0x1, &(0x7f0000000140)=""/54, 0x36}, 0x8001}, {{&(0x7f0000000180)=@pppoe={0x18, 0x0, {0x0, @broadcast}}, 0x80, &(0x7f0000001300)=[{&(0x7f0000000200)=""/4096, 0x1000}, {&(0x7f0000001200)=""/202, 0xca}], 0x2, &(0x7f0000001340)=""/4096, 0x1000}, 0x100}, {{&(0x7f0000002340)=@pptp={0x18, 0x2, {0x0, @broadcast}}, 0x80, &(0x7f00000028c0)=[{&(0x7f00000023c0)=""/164, 0xa4}, {&(0x7f0000002480)=""/222, 0xde}, {&(0x7f0000002580)=""/170, 0xaa}, {&(0x7f0000002640)=""/87, 0x57}, {&(0x7f00000026c0)=""/234, 0xea}, {&(0x7f00000027c0)=""/250, 0xfa}], 0x6, &(0x7f0000002940)=""/247, 0xf7}, 0xef47}, {{&(0x7f0000002a40)=@in={0x2, 0x0, @broadcast}, 0x80, &(0x7f0000002bc0)=[{&(0x7f0000002ac0)=""/240, 0xf0}], 0x1, &(0x7f0000002c00)=""/46, 0x2e}, 0x1}, {{&(0x7f0000002c40)=@rxrpc=@in4={0x21, 0x0, 0x2, 0x10, {0x2, 0x0, @multicast2}}, 0x80, &(0x7f0000002f00)=[{&(0x7f0000002cc0)=""/190, 0xbe}, {&(0x7f0000002d80)=""/137, 0x89}, {&(0x7f0000002e40)=""/134, 0x86}], 0x3, &(0x7f0000002f40)=""/241, 0xf1}, 0xfffffffffffffffc}, {{&(0x7f0000009040)=@pppol2tpin6={0x18, 0x1, {0x0, <r4=>0xffffffffffffffff}}, 0x80, &(0x7f0000004400)=[{&(0x7f00000030c0)=""/4096, 0x1000}, {&(0x7f00000040c0)=""/141, 0x8d}, {&(0x7f0000004180)=""/67, 0x43}, {&(0x7f0000004200)=""/215, 0xd7}, {&(0x7f0000004300)=""/222, 0xde}], 0x5}, 0x9}, {{0x0, 0x0, &(0x7f0000005640)=[{&(0x7f0000004480)=""/4096, 0x1000}, {&(0x7f0000005480)=""/33, 0x21}, {&(0x7f00000054c0)=""/94, 0x5e}, {&(0x7f0000005540)=""/186, 0xba}, {&(0x7f0000005600)=""/59, 0x3b}], 0x5, &(0x7f00000056c0)=""/248, 0xf8}, 0x3}, {{&(0x7f00000057c0)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}}}, 0x80, &(0x7f0000008ac0)=[{&(0x7f0000005840)=""/91, 0x5b}, {&(0x7f00000058c0)=""/4096, 0x1000}, {&(0x7f00000068c0)=""/210, 0xd2}, {&(0x7f00000069c0)=""/16, 0x10}, {&(0x7f0000006a00)=""/4096, 0x1000}, {&(0x7f0000007a00)=""/4096, 0x1000}, {&(0x7f0000008a00)=""/158, 0x9e}], 0x7, &(0x7f0000008b40)=""/1, 0x1}, 0x6}], 0x8, 0x1, &(0x7f0000008dc0)={r1, r2+30000000})
ioctl$sock_bt_hidp_HIDPCONNDEL(r4, 0x400448c9, &(0x7f0000008e00)={{0xfffffffffffffffa, 0xdb, 0x85e7, 0x1000, 0x5, 0x1e5e}, 0x3f})
r5 = syz_open_dev$admmidi(&(0x7f0000003080)='/dev/admmidi#\x00', 0xff, 0x0)
inotify_add_watch(r5, &(0x7f0000008e80)='./file0\x00', 0x2000000)
r6 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
readlinkat(r5, &(0x7f0000008ec0)='./file0\x00', &(0x7f0000008f00)=""/70, 0x46)
poll(&(0x7f0000000000)=[{r6}], 0x1, 0x100000001)

[  452.046762][   T12] binder: unexpected work type, 4, not freed
[  452.069143][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:19 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x4c00, 0x0, 0x0})

[  452.109456][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  452.143294][   T12] binder: send failed reply for transaction 1233, target dead
17:34:19 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x50000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  452.173622][T25001] binder: 24951:25001 ioctl c0306201 200001c0 returned -14
[  452.204395][T25009] binder_alloc: binder_alloc_mmap_handler: 24951 20001000-20004000 already mapped failed -16
[  452.215298][T25001] binder: BINDER_SET_CONTEXT_MGR already set
[  452.222431][T25001] binder: 24951:25001 ioctl 40046207 0 returned -16
[  452.222533][T25009] binder_alloc: 24951: binder_alloc_buf, no vma
17:34:19 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
setsockopt$inet_MCAST_LEAVE_GROUP(r0, 0x0, 0x2d, &(0x7f0000000240)={0xffffffffffffffc0, {{0x2, 0x4e24, @empty}}}, 0x88)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='attr/fscreate\x00')
ioctl$KDSETMODE(r2, 0x4b3a, 0x0)
setsockopt$SO_RDS_MSG_RXPATH_LATENCY(r2, 0x114, 0xa, &(0x7f0000000080)={0x1, 'g'}, 0x2)
ioctl$RTC_AIE_OFF(r2, 0x80247009)
r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000100)='TIPC\x00')
sendmsg$TIPC_CMD_SET_LINK_TOL(r2, &(0x7f00000001c0)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000000180)={&(0x7f0000000440)=ANY=[@ANYBLOB="31f0276648b2cbafb2153addbb6454396ffce75339766ea9e80ace39920ad0c4e4c03452df174f8216c63c0a000024ab0d3f727d85d6d019e4e61c4f545a0c014fbb95181a5bf2fa1045e783c127048150ba7811ad821ea636e1220a8198dcabdcc6c39b0a57ba06b018b6b20b4db64d91802398a5f81b02e952a223175217f2afa83c795d9a2ff3cdde769b863f8b8e1be97faa85554abf1455fa04d676036f", @ANYRES16=r3, @ANYBLOB="000529bd7000fddbdf25010000000000000007410000001400180000a76e7564703a73797a3000000000"], 0x30}, 0x1, 0x0, 0x0, 0x40040}, 0xc5)
ioctl$KDSKBLED(r2, 0x4b65, 0xfffffffffffffffa)
r4 = openat$null(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/null\x00', 0x400200, 0x0)
setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r4, 0x28, 0x0, &(0x7f0000000400)=0x4, 0x8)
sendmsg$TIPC_CMD_SET_LINK_WINDOW(r1, &(0x7f0000000380)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f0000000340)={&(0x7f0000000300)={0x34, r3, 0x210, 0x70bd2b, 0x25dfdbfd, {{}, 0x0, 0x4109, 0x0, {0x18, 0x18, {0x6, @bearer=@l2={'ib', 0x3a, 'bond_slave_0\x00'}}}}, [""]}, 0x34}, 0x1, 0x0, 0x0, 0x24000000}, 0x4008080)
ioctl$sock_SIOCOUTQ(r0, 0x5411, &(0x7f0000000200))

[  452.265535][   T12] binder: release 24951:25001 transaction 1239 out, still active
[  452.287034][T25009] binder: 24951:25009 transaction failed 29189/-3, size 24-8 line 3147
[  452.298230][   T12] binder: unexpected work type, 4, not freed
17:34:19 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x602, 0x0)
poll(&(0x7f0000000080)=[{r0, 0x40}, {r0, 0x180}, {r1, 0x8120}], 0x3, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  452.324374][   T12] binder: undelivered TRANSACTION_COMPLETE
[  452.350625][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:19 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x6000, 0x0, 0x0})

17:34:19 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x10000c000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:19 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x40000001)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:19 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008915, &(0x7f0000000140)="9067aeefef")
finit_module(r0, &(0x7f0000000200)='GPL\x00', 0x3)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
r2 = syz_open_dev$radio(&(0x7f0000000080)='/dev/radio#\x00', 0x1, 0x2)
setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r2, 0x6, 0x1d, &(0x7f00000001c0)={0xfffffffffffefffe, 0xc1a2, 0xfffffffeffffffff, 0x5c, 0x4b}, 0x14)
ioctl$UI_SET_PHYS(r2, 0x4008556c, &(0x7f0000000180)='syz0\x00')
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
socket$bt_hidp(0x1f, 0x3, 0x6)
openat$userio(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/userio\x00', 0x0, 0x0)
setsockopt$inet6_tcp_int(r1, 0x6, 0x24, &(0x7f0000000240)=0x9, 0x4)
r4 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x0, 0x4000)
ioctl$RTC_AIE_OFF(r2, 0x80247009)
accept4$packet(r4, &(0x7f0000000280)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f00000002c0)=0x14, 0x80800)
ioctl$RTC_WKALM_SET(r3, 0x4028700f, &(0x7f0000000100)={0x1, 0x0, {0x32, 0x33, 0xc, 0x14, 0x1, 0x3, 0x0, 0x5b, 0xffffffffffffffff}})

[  452.510873][T25225] binder: 25196:25225 ioctl c0306201 200001c0 returned -14
[  452.534528][T25272] binder_alloc: binder_alloc_mmap_handler: 25196 20001000-20004000 already mapped failed -16
[  452.576732][T25225] binder: BINDER_SET_CONTEXT_MGR already set
[  452.601139][T25225] binder: 25196:25225 ioctl 40046207 0 returned -16
17:34:20 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f0000000200)={'veth0_to_hsr\x00', &(0x7f0000000100)=@ethtool_gstrings={0x1b, 0xc3, 0xc4, "faafccb8f1a75c3e99e911d5c93e91f5f8ce3f648ac5f97c337fdc27f70f477b6d9a17ac652b9873232797d9d0f3a6733c4c4c5898c89ee8f093507e792d03fb371bb2d091e4466da500af8a49694b9e683b4f0b6d7c574d1073bf8829b01323a7993022aaedcec5cc6eea3df3f4767c51914b0ff7394abcfb19b9f1cacdf6ea2daa95a25edcab0a9cec951e398c62237192e636d509236648fd1aa9eca048ac728f2097f76778fc311b254e32bcf2ff58f9f58de977cd9647946c1acde3fb43df9b4242"}})
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer2\x00', 0x20080, 0x0)
ioctl$VHOST_SET_VRING_NUM(r2, 0x4008af10, &(0x7f00000000c0)={0x0, 0x1})

[  452.637910][T25317] binder_alloc: 25196: binder_alloc_buf, no vma
[  452.664073][T25272] binder: 25196:25272 ioctl c0306201 200001c0 returned -14
17:34:20 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000007)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:20 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x100000c912, &(0x7f0000000040)="8aeb7a00003b0d74a8b0d4")
accept$inet(r0, &(0x7f0000000000), &(0x7f0000000080)=0x10)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  452.723789][T25317] binder: 25196:25317 transaction failed 29189/-3, size 24-8 line 3147
[  452.743157][ T7838] binder: send failed reply for transaction 1245 to 25196:25225
17:34:20 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x6800, 0x0, 0x0})

[  452.782034][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  452.817092][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  452.839852][    C0] net_ratelimit: 19 callbacks suppressed
[  452.839860][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  452.851486][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  452.864717][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:20 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000180)={r0, &(0x7f0000000080)="c98e81b2638f369841329c360ccb322b1ae6db970cb28923c1010cce3113fa49b15b19effb2b3ee5d6374b4b365c87ff73acdc069ede08f81a575bece4d7849ff8cdaa3c1f131d6c1c4157968067d8cfe951c3b83d979c138f9fedfb637c6a527989f5fe5dd7355ea9124e9cdef192984487c3e5f4fbed5691dbef6e5e3693b1aafa4cfd116b231c07ecbf13db57de501d245c9ad7ac081724ecda3224fbed6de2ed83db9aae5454", &(0x7f0000000140)="5175ec6406b9ac50f84d5007470bd48f9d0992520135459a4f63d78e9138f229c5baa0b23b26fbab5917953aea238db54ff8539fc993c19672", 0x2}, 0x20)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  452.906947][T25576] binder: 25555:25576 ioctl c0306201 200001c0 returned -14
[  452.925398][T25634] binder_alloc: binder_alloc_mmap_handler: 25555 20001000-20004000 already mapped failed -16
17:34:20 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x200000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:20 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$FS_IOC_SETVERSION(r0, 0x40087602, &(0x7f0000000000)=0x3)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
socket$vsock_stream(0x28, 0x1, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/autofs\x00', 0x400, 0x0)
ioctl$KVM_SET_MSRS(r2, 0x4008ae89, &(0x7f00000000c0)={0x9, 0x0, [{0x906, 0x0, 0x3}, {0x2b4690e777d59e1, 0x0, 0x3}, {0xb8e, 0x0, 0x8}, {0xa55, 0x0, 0x9}, {0x3bf, 0x0, 0x100000000}, {0x894, 0x0, 0x3f}, {0xbff, 0x0, 0x7fff}, {0x48c, 0x0, 0x9}, {0x0, 0x0, 0x4}]})

17:34:20 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x50000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  452.977111][T25576] binder: BINDER_SET_CONTEXT_MGR already set
[  453.008404][T25576] binder: 25555:25576 ioctl 40046207 0 returned -16
[  453.069839][ T7838] binder: release 25555:25576 transaction 1252 out, still active
[  453.078285][ T7838] binder: unexpected work type, 4, not freed
17:34:20 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x6c00, 0x0, 0x0})

[  453.123703][ T7838] binder_send_failed_reply: 1 callbacks suppressed
[  453.123710][ T7838] binder: send failed reply for transaction 1252, target dead
17:34:20 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000008)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:20 executing program 1:
r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x301000, 0x0)
ioctl$KVM_GET_NESTED_STATE(r0, 0xc080aebe, &(0x7f0000000480)={0x0, 0x0, 0x2080})
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r1, 0x101, &(0x7f0000000380)="0adc1f1a3c12a41d88b0708659e7c032bc5de12a387e330b70eee7c47a32d97da48636ef53a325c0a20427b83a67968cb235b9fda5a651f5b48adb7612157c1c110d5ac90cfe8ee58bf369173e4fb3fcd030b1293223feccb5856a1396116591460b98070323921e1dfab61211054b921a1ecc08b4680e034ca351578b96fb7cf9e6457eb40baa9643dbe31dd9cd57882f0e3433569fbe1399d30d85f7fec2452d25b8cdac8ec238bd9e814b39e8e0a086c138d78ad424442393198c07f5638619dba23ec72df5f0bda8a353f96a8a55c2136b07000000000000808f5c3e76de0e57")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f00000001c0)={0x3, r0})
r3 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000140)='/dev/mixer\x00', 0x80, 0x0)
ioctl$KVM_SET_NR_MMU_PAGES(r3, 0xae44, 0x1000)
lstat(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0))

[  453.241970][T25852] binder: 25817:25852 ioctl c0306201 200001c0 returned -14
17:34:20 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  453.288551][T25875] binder_alloc: binder_alloc_mmap_handler: 25817 20001000-20004000 already mapped failed -16
[  453.337739][T25852] binder: BINDER_SET_CONTEXT_MGR already set
[  453.390661][T25852] binder: 25817:25852 ioctl 40046207 0 returned -16
[  453.418923][T25911] binder_alloc: 25817: binder_alloc_buf, no vma
17:34:20 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000007)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  453.441617][T25875] binder: 25817:25875 ioctl c0306201 200001c0 returned -14
17:34:20 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x300000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:20 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f00000000c0)=<r1=>0x0)
r2 = syz_open_dev$vbi(&(0x7f00000001c0)='/dev/vbi#\x00', 0x0, 0x2)
getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f0000000200)={<r3=>0x0, @in={{0x2, 0x4e23, @broadcast}}, [0xffffffffffff8000, 0x5d55702a, 0x1, 0x1000, 0x2, 0x80000000, 0x3, 0x5, 0x4, 0x1, 0x1, 0x8, 0x401, 0x5b20, 0x1]}, &(0x7f0000000300)=0x100)
getsockopt$inet_sctp_SCTP_CONTEXT(r2, 0x84, 0x11, &(0x7f0000000340)={r3, 0x80}, &(0x7f0000000380)=0x8)
fcntl$setown(r0, 0x8, r1)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r4 = syz_open_dev$mouse(&(0x7f0000000100)='/dev/input/mouse#\x00', 0x7, 0x0)
ioctl$UI_DEV_SETUP(r4, 0x405c5503, &(0x7f0000000140)={{0x15, 0x404, 0xcf0, 0x9}, 'syz0\x00', 0x35})
r5 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r5}], 0x1, 0x100000001)
ioctl$sock_inet_udp_SIOCINQ(r0, 0x541b, &(0x7f0000000080))

[  453.485754][ T7838] binder: release 25817:25852 transaction 1257 out, still active
[  453.508620][T25911] binder: 25817:25911 transaction failed 29189/-3, size 24-8 line 3147
[  453.519804][ T7838] binder: unexpected work type, 4, not freed
[  453.551566][ T7838] binder: send failed reply for transaction 1257, target dead
17:34:20 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  453.592354][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:20 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x7400, 0x0, 0x0})

[  453.639796][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  453.639833][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  453.645662][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:21 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000019)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:21 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x20400, 0x0)
getsockopt$inet6_tcp_int(r1, 0x6, 0x3c, &(0x7f0000000080), &(0x7f00000000c0)=0x4)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

[  453.784256][T26296] binder: 26274:26296 ioctl c0306201 200001c0 returned -14
[  453.801330][T26306] binder_alloc: binder_alloc_mmap_handler: 26274 20001000-20004000 already mapped failed -16
17:34:21 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer2\x00', 0x100, 0x0)
lstat(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, <r3=>0x0})
getresgid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)=<r4=>0x0)
r5 = getuid()
write$P9_RSTATu(r2, &(0x7f0000000240)={0x6b, 0x7d, 0x1, {{0x0, 0x4d, 0xf3, 0xc443, {0xc0, 0x3}, 0x80300000, 0x34f8929d, 0x99, 0x0, 0x9, '/dev/rtc\x00', 0x7, '[eth0##', 0x9, '/dev/rtc\x00', 0x1, ','}, 0x9, '/dev/rtc\x00', r3, r4, r5}}, 0x6b)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:21 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x400000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  453.849488][T26296] binder: BINDER_SET_CONTEXT_MGR already set
[  453.879817][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  453.885693][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  453.899440][T26296] binder: 26274:26296 ioctl 40046207 0 returned -16
17:34:21 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000008)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  453.941951][T26317] binder_alloc: 26274: binder_alloc_buf, no vma
[  453.981335][T26306] binder: 26274:26306 ioctl c0306201 200001c0 returned -14
[  454.024698][ T7838] binder: release 26274:26296 transaction 1264 out, still active
[  454.038113][T26317] binder: 26274:26317 transaction failed 29189/-3, size 24-8 line 3147
17:34:21 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x5, 0x12800)
ioctl$DRM_IOCTL_AGP_ALLOC(0xffffffffffffff9c, 0xc0206434, &(0x7f0000000080)={0xdc6d, <r2=>0x0, 0x10001})
ioctl$DRM_IOCTL_AGP_ALLOC(r1, 0xc0206434, &(0x7f00000000c0)={0x0, r2, 0x10001, 0x4a1a2357})
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

[  454.073200][ T7838] binder: unexpected work type, 4, not freed
[  454.104128][ T7838] binder: send failed reply for transaction 1264, target dead
17:34:21 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x7a00, 0x0, 0x0})

17:34:21 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000), 0x0, 0x100000001)

17:34:21 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x500000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  454.248326][T26550] binder: 26530:26550 ioctl c0306201 200001c0 returned -14
[  454.279813][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  454.285658][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:21 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000001a)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  454.322399][T26589] binder_alloc: binder_alloc_mmap_handler: 26530 20001000-20004000 already mapped failed -16
[  454.337509][T26550] binder: BINDER_SET_CONTEXT_MGR already set
17:34:21 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
r2 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x20000, 0x0)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000280)='/dev/kvm\x00', 0x80, 0x0)
setsockopt$packet_tx_ring(r2, 0x107, 0xd, &(0x7f0000000080)=@req={0x1, 0x3, 0x8001, 0x7}, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000240)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000200)={&(0x7f0000000100)={0xfc, 0x16, 0x700, 0x70bd2b, 0x25dfdbfb, {0x2}, [@nested={0xe8, 0xa, [@generic="2829e0833ef7a24daad0a3b59f8d245dbf5d700f135965a00d54b68e54e34de0d101fb6e31100fbbae2e307a67ef53973d76a226ec26488f51ec125755f3ead6be1b279d1eccca6d54bb3553153157496da90491dea2bec167dbf2627e4c92f32823fd6e7f404bcab9ef779dac2a1f83b827d61708123021312e5145b117365bbe759fe9435e7d0deeb95640da09afbc9693abc20f86087f201d85eca00e98b5a9db3ac982f38bfd4ce5fc22343cbcc6704c05aa9e85401bd5afaff5dd834a3a345531afae02f89de947246fe64529332ac38c72c5b373bf15", @typed={0x8, 0x76, @fd=r0}]}]}, 0xfc}, 0x1, 0x0, 0x0, 0x4800}, 0x80)

[  454.391572][ T7838] binder: release 26530:26550 transaction 1271 out, still active
[  454.399358][ T7838] binder: unexpected work type, 4, not freed
[  454.405711][T26550] binder: 26530:26550 ioctl 40046207 0 returned -16
[  454.427627][ T7838] binder: send failed reply for transaction 1271, target dead
[  454.439791][    C0] protocol 88fb is buggy, dev hsr_slave_0
17:34:21 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x1000000, 0x0, 0x0})

17:34:21 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000019)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:21 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = gettid()
fcntl$setown(r1, 0x8, r2)

17:34:22 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x600000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  454.647663][T26802] binder: 26794:26802 ioctl c0306201 200001c0 returned -14
[  454.670575][T26802] binder: BINDER_SET_CONTEXT_MGR already set
[  454.687209][T26867] binder_alloc: 26794: binder_alloc_buf, no vma
17:34:22 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rtc0\x00', 0x2808c0, 0x0)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0x0, 0x100)
ioctl$ION_IOC_ALLOC(r2, 0xc0184900, &(0x7f00000000c0)={0x6, 0x9, 0xc4755ae8278801d0, 0xffffffffffffff9c})
ioctl$TUNGETVNETHDRSZ(r2, 0x800454d7, &(0x7f0000000100))
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  454.716565][ T7838] binder: release 26794:26802 transaction 1276 out, still active
[  454.725781][T26802] binder: 26794:26802 ioctl 40046207 0 returned -16
[  454.749907][ T7838] binder: unexpected work type, 4, not freed
[  454.769438][T26867] binder: 26794:26867 transaction failed 29189/-3, size 24-8 line 3147
[  454.790836][ T7838] binder_release_work: 4 callbacks suppressed
[  454.790843][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:22 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000001d)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:22 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x2000000, 0x0, 0x0})

17:34:22 executing program 1:
syz_open_dev$audion(&(0x7f0000000340)='/dev/audio#\x00', 0x2, 0x1)
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cachefiles\x00', 0x440000, 0x0)
fadvise64(r1, 0x0, 0x1, 0x5)
ioctl$PIO_CMAP(r1, 0x4b71, &(0x7f00000000c0)={0x5, 0x10000, 0x80000001, 0x0, 0x1000, 0x10001})
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/rtc\x00', 0x1, 0x0)
getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000000100)={<r3=>0x0, @in6={{0xa, 0x4e21, 0x6, @mcast2, 0x7}}, 0x6, 0xffffffffffffff19, 0x101, 0x401, 0x40}, &(0x7f0000000200)=0x98)
setsockopt$inet_sctp_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f0000000300)={r3, 0x7fff, 0x4, [0x92a, 0x5, 0x3, 0x20]}, 0x10)
ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f00000002c0)={0x0, r0, 0x5f58, 0x1, 0x7fff, 0xffffffff80000001})
ioctl$sock_inet6_tcp_SIOCOUTQ(r1, 0x5411, &(0x7f0000000380))
getsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r1, 0x84, 0x18, &(0x7f0000000240)={r3, 0x800}, &(0x7f0000000280)=0x8)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

[  454.850242][ T7838] binder: send failed reply for transaction 1276, target dead
17:34:22 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000001a)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  455.026722][T27046] binder: 27021:27046 ioctl c0306201 200001c0 returned -14
17:34:22 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$EVIOCSABS0(r1, 0x401845c0, &(0x7f0000000080)={0x6, 0x7, 0x0, 0x2, 0xfff, 0x5})
ioctl$RTC_AIE_OFF(r1, 0x80247009)
getsockopt(r0, 0x2, 0x4, &(0x7f00000000c0)=""/234, &(0x7f0000000000)=0xea)

[  455.088006][T27046] binder: BINDER_SET_CONTEXT_MGR already set
[  455.108103][T27165] binder_alloc: 27021: binder_alloc_buf, no vma
17:34:22 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x700000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:22 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
finit_module(r0, &(0x7f0000000100)='/dev/vcs#\x00', 0x3)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0x0, 0x0)
r2 = syz_open_dev$adsp(&(0x7f0000000140)='/dev/adsp#\x00', 0x8000, 0x40)
ioctl$PERF_EVENT_IOC_SET_FILTER(r2, 0x40082406, &(0x7f0000000180)='\x00')
r3 = syz_open_dev$vcsn(&(0x7f00000000c0)='/dev/vcs#\x00', 0x5, 0x2000)
ioctl$KVM_CREATE_IRQCHIP(r3, 0xae60)
ioctl$KVM_PPC_GET_SMMU_INFO(r3, 0x8250aea6, &(0x7f0000000200)=""/212)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  455.147656][ T7838] binder: release 27021:27046 transaction 1282 out, still active
[  455.156799][T27046] binder: 27021:27046 ioctl 40046207 0 returned -16
[  455.187583][ T7838] binder: unexpected work type, 4, not freed
[  455.219313][T27165] binder: 27021:27165 transaction failed 29189/-3, size 24-8 line 3147
[  455.233180][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  455.258409][ T7838] binder: send failed reply for transaction 1282, target dead
17:34:22 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xc0000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:22 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x3000000, 0x0, 0x0})

[  455.305747][ T7838] binder_release_work: 2 callbacks suppressed
[  455.305757][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:22 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
fcntl$dupfd(r0, 0x406, r0)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x4001, 0x0)
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(r1, 0xc058534f, &(0x7f0000000080)={{0x4, 0x8}, 0x0, 0xffff, 0x1, {0x3, 0x5ff}, 0x10001, 0x1})
getsockopt$inet_mreqn(r0, 0x0, 0x20, &(0x7f0000000200)={@local, @remote, <r2=>0x0}, &(0x7f0000000240)=0xc)
connect$packet(r1, &(0x7f0000000280)={0x11, 0x4, r2, 0x1, 0xd037}, 0x14)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
syslog(0x0, &(0x7f00000002c0)=""/241, 0xf1)
fstatfs(r1, &(0x7f0000000100)=""/207)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

17:34:22 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/rtc\x00', 0x100ffd, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  455.463379][T27408] binder: 27407:27408 ioctl c0306201 200001c0 returned -14
[  455.526373][T27408] binder: BINDER_SET_CONTEXT_MGR already set
[  455.548670][ T7838] binder: release 27407:27408 transaction 1288 out, still active
17:34:22 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x700008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:22 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000001d)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  455.573229][T27412] binder: 27407:27412 ioctl c0306201 200001c0 returned -14
[  455.589288][ T7838] binder: unexpected work type, 4, not freed
[  455.614178][T27408] binder: 27407:27408 ioctl 40046207 0 returned -16
[  455.621735][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  455.647993][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:23 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
r2 = syz_open_dev$dspn(&(0x7f0000000080)='/dev/dsp#\x00', 0x104, 0x801)
ioctl$IOC_PR_REGISTER(r2, 0x401870c8, &(0x7f00000000c0)={0x8, 0xf021, 0x1})

17:34:23 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x4000000, 0x0, 0x0})

[  455.689901][ T7838] binder: send failed reply for transaction 1288, target dead
17:34:23 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000), 0x0, 0x100000001)

[  455.812798][T27639] binder: 27627:27639 ioctl c0306201 200001c0 returned -14
[  455.855856][T27701] binder_alloc_mmap_handler: 3 callbacks suppressed
[  455.855875][T27701] binder_alloc: binder_alloc_mmap_handler: 27627 20001000-20004000 already mapped failed -16
17:34:23 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xc0000001)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:23 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x800000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:23 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
syz_open_dev$rtc(&(0x7f0000000000)='/dev/rtc#\x00', 0x3ff, 0x6c876c8dc8d18bea)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  455.982436][T27639] binder: BINDER_SET_CONTEXT_MGR already set
[  456.025552][T27639] binder: 27627:27639 ioctl 40046207 0 returned -16
17:34:23 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xc0000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:23 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
ioctl$SNDRV_CTL_IOCTL_PCM_INFO(r0, 0xc1205531, &(0x7f0000000080)={0x1ff, 0x138, 0x88, 0x80000000, [], [], [], 0x2, 0x4, 0x2, 0x7fffffff, "f99d601f0938c749db2bed975a56aab3"})

[  456.076283][T27861] binder_alloc_new_buf_locked: 1 callbacks suppressed
[  456.076295][T27861] binder_alloc: 27627: binder_alloc_buf, no vma
[  456.108382][T27861] binder_transaction: 1 callbacks suppressed
[  456.108596][T27861] binder: 27627:27861 transaction failed 29189/-3, size 24-8 line 3147
17:34:23 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
write$binfmt_aout(r0, &(0x7f0000000000)={{0x10b, 0x5, 0x100000000, 0x235, 0x9, 0x1ff, 0x1e5, 0x8}, "542e4cab58c05c8c6a56"}, 0x2a)

[  456.206617][T27639] binder: 27627:27639 ioctl c0306201 200001c0 returned -14
[  456.228405][ T7838] binder: release 27627:27639 transaction 1295 out, still active
[  456.250465][ T7838] binder: unexpected work type, 4, not freed
17:34:23 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x5000000, 0x0, 0x0})

17:34:23 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x800008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  456.300907][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  456.330288][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  456.336737][ T7838] binder: send failed reply for transaction 1295, target dead
17:34:23 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000400)='/dev/snapshot\x00', 0x40081, 0x0)
getpeername$unix(r1, &(0x7f0000000440)=@abs, &(0x7f00000004c0)=0x6e)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
ioctl$sock_ifreq(r0, 0x8994, &(0x7f0000000300)={'nr0\x00', @ifru_mtu=0x80000001})
ioctl$void(r1, 0x5451)
getsockopt$bt_BT_RCVMTU(r0, 0x112, 0xd, &(0x7f0000000080)=0xfffffffffffffffc, &(0x7f00000000c0)=0x2)
r3 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000100)='/dev/qat_adf_ctl\x00', 0x1, 0x0)
getsockopt$inet_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1a, &(0x7f0000000340)=ANY=[@ANYRES32=<r4=>0x0, @ANYBLOB="5600000056a1ce900726f1446edb39dddc80eb7cb277020033052c2647291c34a873a6677e71e6b980c2261b80ca0f9d755d29fe79497abe2ae844bcecea35b5dde4fd763e46d5000000000000007ee2682ba4e486d51b0bf4e702ba33cfb14ebde662829cbbdc35f9657916"], &(0x7f00000001c0)=0x5e)
getsockopt$inet_sctp_SCTP_GET_PEER_ADDR_INFO(r3, 0x84, 0xf, &(0x7f0000000200)={r4, @in6={{0xa, 0x4e21, 0xffffffffffffffff, @local, 0x6}}, 0x8000, 0x8, 0x8, 0x575, 0x80}, &(0x7f00000002c0)=0x98)

17:34:23 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xf6ffffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  456.451041][T28095] binder: 28088:28095 ioctl c0306201 200001c0 returned -14
17:34:23 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000001180)="0adc1f123c123f3188b070")
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000040)='TIPCv2\x00')
sendmsg$TIPC_NL_BEARER_ENABLE(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="26e9fa6c400000", @ANYRES16=r2, @ANYBLOB="010000000000000000000300000058000100100001007564703a73797a310000000044000400200001000a00000000000000fe80000000000000000000000000000000000004200002000f0000000000000000000000000000000000ffffac1414aa00000000"], 0x6c}}, 0x0)
r3 = socket$inet_udplite(0x2, 0x2, 0x88)
r4 = open(&(0x7f0000000000)='./file0\x00', 0xa2100, 0x2)
ioctl$LOOP_GET_STATUS(r4, 0x4c03, &(0x7f0000000180))
ioctl(r3, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r5 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r5, 0x80247009)

17:34:23 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xc0000001)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  456.535480][T28173] binder_alloc: binder_alloc_mmap_handler: 28088 20001000-20004000 already mapped failed -16
[  456.574515][T28172] binder: BINDER_SET_CONTEXT_MGR already set
[  456.606269][T28172] binder: 28088:28172 ioctl 40046207 0 returned -16
[  456.642580][T28173] binder_alloc: 28088: binder_alloc_buf, no vma
[  456.663757][T28173] binder: 28088:28173 transaction failed 29189/-3, size 24-8 line 3147
[  456.700697][ T7838] binder: send failed reply for transaction 1302 to 28088:28095
17:34:24 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = syz_open_dev$vbi(&(0x7f00000002c0)='/dev/vbi#\x00', 0x2, 0x2)
ioctl$UI_SET_FFBIT(r1, 0x4004556b, 0x4e)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r3 = add_key(&(0x7f0000000100)='syzkaller\x00', &(0x7f00000001c0)={'syz', 0x1}, &(0x7f00000004c0)="aff84bd26e192baa9ffb9e7942153ed652399d7af2c787832559baa9b29b87c0d193fc69ef7cd75135f54a7778862c05aa7a03b7ccd4dad6d21bb772eda986a36ffb93acd5a9e060daa2afbb12db1291f7145bd646d32720e261ff1daa756974c7e1ac87df92542dd4633254aac22d0571281d1c0428bca2ee9cff2c8f1de2537443f28d0fc14d69ee3d222f8f38b4d9b86c0af794ec3faeda06132344d61b8a10e84b7b817a832fad30a82f22c28a6c56030d1ffe2239bcda3242ed73ec37c173d3c0d085250114124ed50486386a11be27d6668d89bb0defd3e7afe1ad001cbab7ea8101fd12aa4a5dad8cb83d6b7f441ddca3a997db660dc7f1fb11ac7ed45a252c8cbf8d4e43c1f3cdd362d1ef7159b89b69d94eb3c094c13b051a4f0e0da96f01a8cd632e5d9363df59baf3a8a527e138ec955774c3d968ae6d34864bacf9a77098e69f5d27309c3917ed10530a0972b751e64c4366f3bcd16045e1caf75feec342402470531a44e9e358fa42312130a360f1923cacccc7d23f8859f765527983746b385340e8c70d1d5e8826a8c14c6243aa7592be88ba1532abf298fb8203c7a767239046bfdb6b57b98b8330cb92dae5809328f7aeae6a7a4bb4be690316bbf13b080893591fd94f186d9182fe33a68f430ac50271887de43a53da4e67d51c406e5b9e6e13fb1f7ad97f274baff989ccdc787d597d66f812990b596533ba26ef2743b8f456d71d2091d909745f37c7257d9df06fb4e5ab6d6eaa26435134800053c31f9a7d3d7f68e24b403c06ddfce8cb29ca9fde96550bbc916f3ece42c026c9f3a53ab38c5e57b6da903936d4674d5ec7859e3a3b26c8ae704903035544266b11f6e3619236147683b81c30fc69b509c8a796add4ee9b7ee0ba13c51d9a92dcc8e472a1173e4ac5b55fa2e056314f49450f265b9f3afbc6e42c96a455f938ed8bd56d613776270ebd838f10ddd90e7a8f4473a7bef916cc23ff4a11781ab978d4c1fc5be002143d79b930922032c019f7aaf630594c696dfac105c5f1c1b5519173b33f94b70d1cee2d92bb71cdb02cae097975261f6450f40a3734fb740a465fa82b8925951bd52478b06841da25116000932799c5900dc89b7d4720084c4a7fb102be8ae931a5d9bce56a289a0e8a0ed00e6e65ed6015e367faf3f15ffde6ddd315fd8b230d492811b45cabe56abea55ab202a587700335aeea5f626127daad0a4791080e889a9de1a3bb9ebe1d751fd28ba49d9751638491618c32a4361838253af98c2da88f2785e1f4fe0a2fea508bbedb508472d11161584a50ee17efa66d3fc295b7270b1aee35085ca7df8430f1c9293298bb09d9b4e27ed3201a32ebe35eb891a251100f55207bb5d80b4cb5808dc42d208b6e35df0ba915959df86c3893be3d76aaf194a3835228346c2ae350fc6e54c762ffb4e9b095831835d4bdf5c954e07dd9efd325d5c90ee0f49e6f5757d9f4a0e1cf938e7bc62432162d1af459b301e9ddfe9f4a9ab0eeb04c560f81238a3c6f2385802723bb86690969287de30a8ddfc7df3c2e17f37dbe3b766436517cf59ebd19a28d456f829b0cae7799b18a20c518490da90d222787dfc5ca1dbf2c3c757c33c1e133d73c9f11e094ba50c923057a9da4c0983f881a6f60e3d703d14e98e93aff655323b524d4238f8b3f4a39a73b4d624b972db29d4dde7544a77be85d6698551df18a4d8213f17b13525c60460e3fc1f6e4dee8882ae3da819032a62c2031cb231a3e1547b5d4312722a50378e541cdd7bf62db65dee307939333f8393d8e1d2b47d84b6021f70051b133e47cd51f8244fa8d6f9193c518309c874df64afcee1e374de3c859c85f6cb238dc09de5b88c3209cf8e44b0dd81024b2ff6a56d8bfa4108b71a401ddcac2c1b742498b12b212e394883796b773a1f20a29f230bcea7463126888059b1f8fc077121173e29152f6864aa7ad6dae0ac14a4fb0d3e1e58af12e2a73d25e76cddb4a166e1b55f0a64c5c724a291fb1a328b5b6841b5d059eb4899e86014d33f9d48ff55ce1114bb3c1ff0920e2797d428ee4d2aaab70fb4caafa8ed978fae9bcd6b08971f8037af8d990486af832c306b8eff4b2a992d0228217831ea16208157b1d604ebb47b7ac18184844320660ef027229764af7a226220f50f2558450475529ea2044577d5334a3802be552e8c97ae3cba085afd465c3cdae8ac47fa877e92d299f0759510f99ec26ef150e49ed31e0586777133a946d363196ddb8466ccf6229a95beb7b43f738bfddcfe52ec631167fa44840fc62a866adbe0b53ac3cf6d38703e103e1bf3d71f35d2674f27669b518f3e006710d191ab860d5c76208bdc2332daf722c7f3bdfde76cae1e09a5818b93af49b7d1461d2c67bb4529c94adb6957e63588c1c923248d9fc65848575ca2db376849f9022449a16ce59122eccaeaaeaf4b819096ed1826d9e4318a8e9132506a5b9e4add0152f5a4b8ded14d0dcf46e4f4d5368610b32f37f843a0ce7cab54a88baad0bd0cd3d1c67c2919f393c1965c3ac423a53d4ad9dd1cac9f8c33e8750b899746ede8126931c60663b26db29dadf47a5b944ab56d86d9e0139aa8f5a4ad1d27c6c4dae34dbc346356b9234583ea844ebf9f6489c0f79e54bda9fc79c66387917c21b4399e1d5cf36dffa169354c4cb84f6f018f74183248449c443c9d2ffd022180d213a4c2586e1a4ae45bef64e69ca91a911ff046eaed887bbbd2c89056f173c0aac83df5494a4a1529a61454ca7ad61a8ea0a5c3328f38f9fd7a8c53a4eccef2ffaba4d751bf445fc87dba09508d795166dec48847d64d4781c5f7eccd9430a37994554cc1511f3f2ff82415c9560300a4260597afd3016c987600fcc54ec07f200913341b27d0f9bdc27975bd46e6f0ad9ed2095e50420840be6c4d5bff8ec35e1ae2598ba879fa84daf7f5432924eff27ec1fc6e0671f2a1a8dd36cb06927d0c7caf73b76b47d570ade1592887f948596f366e2233538ddbcaaa2354b6b0d08463bf294c92da1038ae8e0bdb5cd4b669c6e7f34bd99b1c3c5b61904983147c49fa2bcc02c9c6d77eee3d12c51dfbb0434104f5b6f73128406ac350a89fe38c8daa7dcbdb41aa7eae467887580b20f75ca8a52c5825ad5b8d13faa85480956c756a916afdf64e96226da8ac91b0d09612257e1c267925dfa147bbca70616f0b0cfcdc20fe6852296ab490ef1f8597eea150f0f36adb0690bac3977dcdaa9c103d0be14ab1791decc5f05c46759717e393ada8e98c538f3dac88f9e1bfb6491b4a5f0bc7aa813d1ce2ff6da7defc867beb74f4d69b06270b3ce53543839e062632f8238acb4f437fb1f88dd21bf18cb3302bb497c76829b470d5466d040945062c2b35b2873c36f74f6216e4f7786bee1b6e40cbd5dc2f0e08adba07a3224accd8d2f8bdf9af8bf8deda09660a95175f31a77105ac16646fcd139b4a3a9bd2d6a3810d49691da0547dd44557af682f48165ea20c2088eba6f864a9f028c43ce520eac6022fb6154eb4b2603760a3ffa6ebf972c3b3329292d2cf9da5aeb341b2a9c6f7d67a30b40a3b80bc9257298bf01b0d33b70e76d41e0c3354e7e0834642b6ef564a3da4e02046df1861e8a3b52ac0e2cf13d9fa630b675253f123348a079f4874faa8d0b347ab56925a7f3917bfea0ed743adf7d8bee2eaec2b4c0fa0001040b1c637aa4556f360fb0ea996aeba5c388fc35ddcabebe5c2f55310dc70acbc535fcfcfa851d786fa4b03b3faf9e2950e349402d94487b5abbf72d4764bba090dc7cc644fd6b3d8f0930d30c8023d4b9acf66c47b923d91ac00c46c9d1223dbe12b3870f3ebd50dae7cb3d233e43c35d9ff2f8ccc9b8c2f28079a1e5038b3bbc577eeaefaa914557660855d0d8aa6ac18de01dbbad251aa2642a9ca7520499117b5859d7a1a01710fd252b3aa7384f3beccbecdab6904650ee165224aa609aa98d91f08b8e5825474babcf3017a92eb5c1bae6fdb006d4431777cf27e002a95524dcd1a28808579100ee5a203daac3d1d549b63ceb0549f672112bbde3414bcb62fd5abf011337373c9fba0d3ee416111342c913e4b002a9adec8a945a6dbb63d83413c7bc961ec42197aea38c0045a554cec234ed5fe6070dc0aba0d064441a0d5df153ff6278713538e6f6af2372f0dd452c29b4b13991e44269b36fe45256f159aa607fb54362f7e1cc5f940424f8078e2909aa86cba541b80cd173a10577b8c765bb3b3eafe360cff127a4e54120c914dbaddf8a1c21f8e13b797ca537994d6d7b167a3a12ba38c4d3ee1d451e1122d61abf1d9d7251c5a1cfe96811715f0f825cc7e0fd6e8ba6680cd5182bc684ca4f997f45fede70e74e3812ff6ab8db16e3b647529c52fa478e810e224fc241825f10fbcbb634516b5ada8e3c6846334e3dedc27d8ebe55c09883c37ce5f21f07d3e4c801e1d76c86bba8ef7169520c75b71c1816e81df42fcb76c6e6077be85516d3b9f8720c430333cbf74405f4ccf4fe5bcd696815502cb4b33d1bcf04328e473c6fdfed902634eaf9e0f6b0277e0c40bfd17f24e74841cfdbd39e14a7db522736741f3e1272b729ef936a5fc959f40489af2622f56f567cf7bc709cf1e8c0f8f5fa04b6996adb8d1755e345761e9c9058d9181c1a2551cbeebb9d505fe390b9b5353a5454d2c77f8ea4105a0331c4a9e5597d6e785a1d02c40d2c2b6e1052074e267fa2f0ef05474e106054e81d03b53e44108b5545783c1e10bc692c46bc339e636c6c3eb625e435d412bb613d99db37b19be3c73177979581c78ca332fe3b17a452c4deac6b13bc2e24168f7fb0f85e73202629231755ebbf98a01f13c65bb5cd1fea2c356bfef357c98f5ca0c526b85cc24f030c325e5408a108d6ca16aa3b47d3b25e87615871977e679a672fe8073e821625cdc6eef737c40dc13ac0d653a38181cd9434cc6336415a77800f66eef20b3d02330965cd7b93af051d27b738770f0d2a0330021dc820b4b6ff46b24cf45c7d27cfa3c183c77855355363c9b90d8a51aeff68bb7f5d9ff0a7513c3a1934ea7db64cb493de22a834520bc0eeb290df4814ba1229d437ae32a327d8b8c389652e8650bff76ff2f6a274b132df621ecf2dac4d26b3b69ab6f30379b4374a199d7f27777af8d2521931cc8314b39b544f0e348dd34681fd9238ecb2b45b02f8a2c14f841478e8d459eb9b59ce4a77a472ff9611714f68ea2a517c35f67da3076971e573c3ed0d15a68bd0df00d5228412f6a16f670ced9070e73b2407046cb9d591081e1fe51cee7d7186a23b14b108205a83ab886ede69a1171937f1ddee6a8c9e75fd5fab924a3dbd43cd96e21fe66417800667d55d1180887bf91c8384a1df245d57b8e43f389725e7454683212be2eda45cb99ca17a789fd44293239a3831719aefce438e1e7147ccfa7873ae3973fdef6e76a3264882728e470f499ed9b2d5b86a370ae544d4a01b6320cdb2c840fe9961ded64c52386cc011418ab87b3be952fd19156f54eb15d79332696c846df251eef7099de3ad1d63912df90d19c2c768518f9753ad2901493eb90382829b92b055cc6389492941089f0f0d8e882fc7440e4e8f6024545697386995e11074a8270a57f9c120d008c96abb3786be67da281807fd8db41c141a3a601fa8bf7db43d7432dc1341050df0369a9988d22e497d9a00742e760ac02be092a6ab0d54b8d4e1fb52025cd99a5e08f44f3ee2366824b264bbddfe19565392a358ca57543eacbfaf2a7cbea0328c", 0x1000, 0xffffffffffffffff)
keyctl$read(0xb, r3, &(0x7f0000000200)=""/74, 0x4a)
r4 = open(&(0x7f0000000000)='./file0\x00', 0x88000, 0x0)
r5 = syz_genetlink_get_family_id$SEG6(&(0x7f00000000c0)='SEG6\x00')
sendmsg$SEG6_CMD_SET_TUNSRC(r4, &(0x7f0000000180)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x200000}, 0xc, &(0x7f0000000140)={&(0x7f0000000300)=ANY=[@ANYBLOB="2c0000102d64e0ce99d0c969d3f68cc423d0231fec2a06238122ebc889f1417417ef4ee3ed2b88c71108a7c887b388caa9fe08bf0101481c03352e5037a2b100b08762dcb1bac8d84258ef2008a21d07df9994ea214066a10cf8cfd21dc80b527066d50f3d869f11410c1d670fa4f02c68f8ec8733b822bc0ec57ff3fdf5942eaa846602bcbe3976998593e22fb189ceeee4cdf7ae9d2cf96288e33a4fccc8ac69c2b369b3a9589ff36e0c34af35374d085b564f342b8346d9711d31f808c66ed81f501c65d0711fccd7107c625f47a94b5b9d6f8fa306100064449546ac144082f1990411ae747e0139d21c91fbde96bfb8e31b0ae65a9c44a70d2afaa44b3cbfd2ce73849f005d752f0e35cca1e35517f46908cd14b3060c4c92299e794b933fd1e15a778046d31b9a650d521bf9b476091284992119f0ca552f95c75cf58adda1f8f0dd63217123b79f9a485554e0dac865eae9d0e7bda9bd2cdd30f12df9348ce6235c67708103f12b63d77b96291adfeedc5e4dc6", @ANYRES16=r5, @ANYBLOB="28052abd7000fbdbdf2503000000080006000000000008000600ff000000080004000080ffff"], 0x2c}, 0x1, 0x0, 0x0, 0x4000040}, 0x4000804)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

[  456.735645][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:24 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = request_key(&(0x7f0000000080)='dns_resolver\x00', &(0x7f00000000c0)={'syz', 0x2}, &(0x7f0000000100)='\xc7.\x00', 0xfffffffffffffff8)
keyctl$assume_authority(0x10, r1)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

17:34:24 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x6000000, 0x0, 0x0})

[  456.782536][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  456.794244][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  456.875137][T28418] binder: 28404:28418 ioctl c0306201 200001c0 returned -14
[  456.911709][T28434] binder_alloc: binder_alloc_mmap_handler: 28404 20001000-20004000 already mapped failed -16
17:34:24 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfcfdffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  456.936683][T28418] binder: BINDER_SET_CONTEXT_MGR already set
17:34:24 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
rt_sigpending(&(0x7f0000000080), 0x8)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f0000000000)={'ifb0\x00', {0x2, 0x4e21, @local}})

17:34:24 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x900000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  456.996461][T28418] binder: 28404:28418 ioctl 40046207 0 returned -16
[  457.005958][ T7838] binder: send failed reply for transaction 1308 to 28404:28418
17:34:24 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0xfffffffffffffffe, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  457.058110][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  457.091469][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:24 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x7000000, 0x0, 0x0})

17:34:24 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xf6ffffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  457.220908][T28709] binder: 28692:28709 ioctl c0306201 200001c0 returned -14
17:34:24 executing program 4:
r0 = accept4$vsock_stream(0xffffffffffffff9c, &(0x7f0000000000)={0x28, 0x0, 0x0, @hyper}, 0x10, 0x80800)
sync_file_range(r0, 0xfffffffffffffffd, 0x1, 0x1)
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)
pwrite64(r2, &(0x7f0000000080)="fe48c0ade7ddd9e96c54d306f98b9f61156cc20e4567cd3d23629ec5a86ec024dbfa9843cce9e9bab898720f45926614ce4c9e5702243f0681d62c461800292380df8aec62d7827b7b64ce02dfcc2821f67c8ce7b122e26f4c3b5580eb9ef33a7e712b5eb5db156bc2052a161857cf4c70b3af7f8f9b20a2022a4cdb529d8bdd1e568cd5cc9c67fb5e88fa20ed08c6cf9563174a81cd3952ec1ab16d2ca166be81113efad1c55beeea695f59c886f6225e35ae147f39", 0xb6, 0x0)

[  457.268068][T28743] binder_alloc: binder_alloc_mmap_handler: 28692 20001000-20004000 already mapped failed -16
[  457.330610][T28709] binder: BINDER_SET_CONTEXT_MGR already set
17:34:24 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000140)='/dev/vcs\x00', 0x20101, 0x0)
ioctl$KVM_SMI(r2, 0xaeb7)
getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r2, 0x84, 0x73, &(0x7f0000000100)={<r3=>0x0, 0x80, 0x30, 0xffffffff, 0x7}, &(0x7f0000000240)=0x18)
getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r2, 0x84, 0x72, &(0x7f00000000c0)={<r4=>r3, 0x80000000, 0x30}, &(0x7f0000000080)=0xc)
ioctl$SNDRV_CTL_IOCTL_TLV_COMMAND(r2, 0xc008551c, &(0x7f0000000280)={0x10000, 0x10, [0x9, 0xfffffffffffffffb, 0x5, 0x5]})
ioctl$VIDIOC_S_EDID(r2, 0xc0285629, &(0x7f00000001c0)={0x0, 0xfff, 0x1, [], &(0x7f0000000180)=0xffff})
setsockopt$inet_sctp6_SCTP_RESET_STREAMS(r2, 0x84, 0x77, &(0x7f0000000200)=ANY=[@ANYRES32=r4, @ANYBLOB='\x00\x00\x00\x00\x00\x00'], 0xa)

[  457.371074][T28709] binder: 28692:28709 ioctl 40046207 0 returned -16
[  457.403225][T28835] binder_alloc: 28692: binder_alloc_buf, no vma
17:34:24 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:24 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  457.458226][T28743] binder: 28692:28743 ioctl c0306201 200001c0 returned -14
17:34:24 executing program 4:
r0 = pkey_alloc(0x0, 0x0)
pkey_mprotect(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x2000002, r0)
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
r2 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x10000)
setsockopt$TIPC_GROUP_LEAVE(r2, 0x10f, 0x88)
ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x3f, 0x0)
ioctl$RTC_AIE_OFF(r3, 0x80247009)
r4 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x1, 0x2)
getsockname$packet(0xffffffffffffff9c, &(0x7f0000001800)={0x11, 0x0, <r5=>0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000001840)=0x14)
lsetxattr$trusted_overlay_nlink(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='trusted.overlay.nlink\x00', &(0x7f0000000100)={'L+', 0xfffffffffffffffb}, 0x28, 0x2)
ioctl$sock_inet6_SIOCSIFDSTADDR(r4, 0x8918, &(0x7f0000001880)={@local, 0x57, r5})

[  457.500650][ T7838] binder: release 28692:28709 transaction 1313 out, still active
[  457.510920][T28835] binder: 28692:28835 transaction failed 29189/-3, size 24-8 line 3147
17:34:24 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0xa000000, 0x0, 0x0})

[  457.521452][ T7838] binder: unexpected work type, 4, not freed
[  457.521462][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  457.521550][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  457.521622][ T7838] binder: send failed reply for transaction 1313, target dead
[  457.643173][T28943] binder: 28942:28943 ioctl c0306201 200001c0 returned -14
17:34:25 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x7ff, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  457.716943][T29061] binder_alloc: binder_alloc_mmap_handler: 28942 20001000-20004000 already mapped failed -16
[  457.781639][T28943] binder: BINDER_SET_CONTEXT_MGR already set
[  457.796796][T28943] binder: 28942:28943 ioctl 40046207 0 returned -16
[  457.816016][T29127] binder_alloc: 28942: binder_alloc_buf, no vma
17:34:25 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:25 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1002008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = syz_open_procfs(0x0, &(0x7f0000000140)='auxv\x00')
ioctl$NBD_SET_BLKSIZE(r1, 0xab01, 0x2)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
socket$inet6(0xa, 0x7, 0x7f)
ioctl$RTC_EPOCH_READ(r2, 0x8008700d, &(0x7f0000000180))
getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(0xffffffffffffff9c, 0x84, 0x6c, &(0x7f0000000080)={0x0, 0x4e, "23f4d1c1058e6930fbb64fa594927eba91a32759b58731dacb78d38d92c702c39f9e8a7dfd66bc996ba806acbb2e5716b2f69e3c5b77f239c395e23258faf56a7ed9a3623b124da21524c46d7725"}, &(0x7f0000000100)=0x56)

17:34:25 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfcfdffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  457.844730][T29061] binder: 28942:29061 ioctl c0306201 200001c0 returned -14
[  457.855052][ T7838] binder: release 28942:28943 transaction 1320 out, still active
[  457.875328][T29127] binder: 28942:29127 transaction failed 29189/-3, size 24-8 line 3147
[  457.914512][ T7838] binder: unexpected work type, 4, not freed
[  457.956138][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  457.987747][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:25 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xff600000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:25 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x20000000, 0x0, 0x0})

[  458.018888][ T7838] binder: send failed reply for transaction 1320, target dead
[  458.039820][    C1] net_ratelimit: 18 callbacks suppressed
[  458.039829][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  458.051578][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:25 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
tee(r0, r0, 0x6, 0x4)
ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_WIE_OFF(r1, 0x7010)
r2 = openat$cgroup_procs(0xffffffffffffff9c, &(0x7f0000000000)='cgroup.threads\x00', 0x2, 0x0)
ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000080)=<r3=>0x0)
write$cgroup_pid(r2, &(0x7f00000000c0)=r3, 0x12)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  458.115037][T29333] binder: 29324:29333 ioctl c0306201 200001c0 returned -14
17:34:25 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
io_setup(0x3, &(0x7f0000000080)=<r2=>0x0)
r3 = syz_open_dev$midi(&(0x7f0000000100)='/dev/midi#\x00', 0x1, 0x90202)
io_submit(r2, 0x1, &(0x7f0000000180)=[&(0x7f0000000140)={0x0, 0x0, 0x0, 0x7, 0x3, r1, &(0x7f00000000c0)="36efa20c5dd4a9d766f5", 0xa, 0xfff, 0x0, 0x2, r3}])
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  458.203676][T29375] binder_alloc: binder_alloc_mmap_handler: 29324 20001000-20004000 already mapped failed -16
17:34:25 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xd00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  458.261825][T29333] binder: BINDER_SET_CONTEXT_MGR already set
[  458.296876][T29333] binder: 29324:29333 ioctl 40046207 0 returned -16
[  458.333650][T29487] binder_alloc: 29324: binder_alloc_buf, no vma
17:34:25 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
syz_open_dev$midi(&(0x7f00000000c0)='/dev/midi#\x00', 0x5, 0x111000)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
getsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f0000000000), &(0x7f0000000080)=0x4)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  458.375024][T29375] binder: 29324:29375 ioctl c0306201 200001c0 returned -14
[  458.400519][ T7838] binder: release 29324:29333 transaction 1327 out, still active
[  458.408421][ T7838] binder: unexpected work type, 4, not freed
[  458.416212][T29487] binder: 29324:29487 transaction failed 29189/-3, size 24-8 line 3147
[  458.439830][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  458.445683][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  458.446051][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:25 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:25 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x3f000000, 0x0, 0x0})

17:34:25 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000180)="0adc1f123c12a41d88b070")
pipe2(&(0x7f0000000100)={0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x80000)
ioctl$BLKGETSIZE64(r1, 0x80081272, &(0x7f0000000140))
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
setsockopt$SO_VM_SOCKETS_BUFFER_MIN_SIZE(r0, 0x28, 0x1, &(0x7f0000000080)=0x8, 0xfffffffffffffcc8)
mmap$perf(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x2000000, 0x101010, r1, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
ioctl$FS_IOC_GET_ENCRYPTION_POLICY(r0, 0x400c6615, &(0x7f00000000c0))

[  458.497291][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  458.532687][ T7838] binder: send failed reply for transaction 1327, target dead
17:34:25 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffff8000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  458.599817][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  458.606585][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:26 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1400000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  458.645368][T29634] binder: 29593:29634 ioctl c0306201 200001c0 returned -14
[  458.681493][T29736] binder_alloc: binder_alloc_mmap_handler: 29593 20001000-20004000 already mapped failed -16
17:34:26 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
openat$userio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/userio\x00', 0x20001, 0x0)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  458.756672][T29634] binder: BINDER_SET_CONTEXT_MGR already set
[  458.785245][T29634] binder: 29593:29634 ioctl 40046207 0 returned -16
17:34:26 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
socket$tipc(0x1e, 0x7, 0x0)
poll(&(0x7f0000000000)=[{}], 0x1, 0x100000001)
r1 = syz_open_dev$mice(&(0x7f0000000080)='/dev/input/mice\x00', 0x0, 0x10480)
ioctl$PPPOEIOCSFWD(r1, 0x4008b100, &(0x7f00000000c0)={0x18, 0x0, {0x4, @remote, 'ip_vti0\x00'}})

17:34:26 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xff600000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  458.827821][T29799] binder_alloc: 29593: binder_alloc_buf, no vma
[  458.857198][T29736] binder: 29593:29736 ioctl c0306201 200001c0 returned -14
[  458.938443][T29799] binder: 29593:29799 transaction failed 29189/-3, size 24-8 line 3147
[  458.947556][ T7838] binder: send failed reply for transaction 1334 to 29593:29634
[  458.963143][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:26 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008911, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x28f0feff04d40c71, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0x161001, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:26 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x48000000, 0x0, 0x0})

[  458.996666][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  459.079831][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  459.085656][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:26 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffdfc)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:26 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1900008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:26 executing program 1:
r0 = accept4(0xffffffffffffff9c, &(0x7f0000000080)=@alg, &(0x7f0000000100)=0x80, 0x800)
getsockopt$inet_sctp_SCTP_PR_SUPPORTED(0xffffffffffffffff, 0x84, 0x71, &(0x7f0000000140)={<r1=>0x0, 0x1}, &(0x7f0000000180)=0x8)
getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(r0, 0x84, 0x1b, &(0x7f00000001c0)={r1, 0x65, "5e1fa8b8dae6c56d2fbd5172896bb72986d74a5fdd6ecb97556f1015e03df0ca4619e9096d0bcf1d59c344dd2fe95bfc4225b51b9077c1562b71a2ba5a5f3be5dd17585d6d4bc0d9c98ef537efce6d798016bad1e215614c612129a02ca2cd71d7dd1b4efd"}, &(0x7f0000000240)=0x6d)
r2 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r2, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/rtc\x00', 0x2000, 0x0)
getsockopt$inet_sctp_SCTP_RECVNXTINFO(r0, 0x84, 0x21, &(0x7f0000000280), &(0x7f00000002c0)=0x4)
poll(&(0x7f0000000000)=[{r3}], 0x1, 0x100000001)

[  459.130338][T30060] binder: 30051:30060 ioctl c0306201 200001c0 returned -14
[  459.196647][T30110] binder_alloc: binder_alloc_mmap_handler: 30051 20001000-20004000 already mapped failed -16
17:34:26 executing program 4:
r0 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x3, 0x2)
r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/mixer\x00', 0x400000, 0x0)
epoll_ctl$EPOLL_CTL_ADD(r0, 0x1, r1, &(0x7f00000000c0))
write$uinput_user_dev(r1, &(0x7f0000000100)={'syz1\x00', {0x0, 0x5, 0x40, 0x5}, 0x2e, [0x9, 0x401, 0x7, 0x7, 0x5, 0x7f, 0x6, 0x5, 0x100000001, 0x2, 0x8b, 0x10001, 0x0, 0x3, 0x9, 0x9, 0x5, 0x6, 0x4, 0x3, 0x401, 0x5, 0x0, 0x1000, 0x5, 0x0, 0x1, 0x1000, 0x7, 0x7ff, 0x1, 0x1000, 0xff, 0x1ed, 0xff, 0xffffffff, 0x9, 0x8, 0x4, 0x0, 0x6, 0x9, 0x99fb, 0x7, 0x7, 0x40, 0xde, 0x80, 0x9, 0x1, 0x2, 0x100000001, 0x6, 0x1, 0x9, 0x40, 0x6, 0x5, 0x9, 0x4, 0x3ff, 0xec3c, 0xb, 0x200], [0x302, 0xea1, 0x2c0c, 0x7fff, 0x7f, 0x5, 0x2, 0x1, 0x8000, 0x1, 0xfffffffffffffffe, 0x400, 0x7fffffff, 0x3f, 0x401, 0xa83, 0x0, 0x6, 0x0, 0xffffffff, 0x7, 0x3f, 0xeb81, 0x0, 0x4, 0x1, 0x10001, 0xfff, 0x800, 0x0, 0x777980db, 0x20, 0x1, 0x6d, 0x1, 0x4, 0x2, 0x10001, 0x1bf, 0x14, 0x94bc, 0x5, 0x5, 0xffff, 0xd54, 0x7f, 0x1, 0x47d, 0x0, 0xfffffffffffffffb, 0x6, 0x8, 0x6ae, 0x10, 0x9, 0x3f, 0x0, 0x5, 0x2e83, 0x5, 0x8, 0x1, 0x7], [0x7ff, 0x10000, 0x401, 0x3, 0x3, 0x4, 0x3, 0x8, 0x4, 0x100, 0x261f, 0xfffffffffffffff8, 0x7ff, 0x1, 0x6, 0xb13, 0x8, 0x80, 0x0, 0xfffffffffffffffa, 0x2, 0x90, 0x8, 0x5, 0x6, 0x8, 0xe5b2, 0x4, 0xff, 0x6, 0x21, 0x10000, 0xfffffffffffffffe, 0xffff, 0x1, 0xffffffff, 0x4, 0xff, 0xf5b2, 0x9, 0x3ff, 0x4b, 0x37e5, 0xffffffffffffff7f, 0x1, 0x4, 0x1, 0x4, 0x71, 0x8, 0xef0f, 0x1, 0x80000001, 0x7fffffff, 0x6, 0x8, 0x3, 0x27, 0x7, 0xc70, 0x8, 0x2, 0x401, 0xfffffffffffffffc], [0x5, 0x3, 0x0, 0xb33, 0xffff, 0x0, 0xf8, 0x1000, 0xada3, 0x1000, 0x9, 0x2, 0x4, 0x9, 0x200, 0x8, 0x10000, 0x3, 0xff, 0x2e, 0x1, 0x1, 0x9, 0x7fffffff, 0x7f, 0x40, 0x7fff, 0x9, 0xae, 0x8, 0x4, 0x1, 0x3, 0x4, 0x40, 0x1, 0x4, 0x9, 0x80, 0x3ff, 0x10000, 0x100, 0x5, 0x8001, 0xa1, 0xffff, 0x81, 0x1000000000000, 0x0, 0xccd5, 0x2, 0xffffffffffffffa4, 0x1f, 0x1, 0xac, 0xffffffff00000000, 0x8, 0x8, 0x4, 0xfffffffffffffff9, 0xa45, 0xbc, 0x268, 0x24]}, 0x45c)
r2 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl$SCSI_IOCTL_GET_BUS_NUMBER(r1, 0x5386, &(0x7f0000000580))
ioctl(r2, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

[  459.249238][T30060] binder: BINDER_SET_CONTEXT_MGR already set
[  459.257522][T30060] binder: 30051:30060 ioctl 40046207 0 returned -16
[  459.280590][T30130] binder_alloc: 30051: binder_alloc_buf, no vma
[  459.287289][T30130] binder: 30051:30130 transaction failed 29189/-3, size 24-8 line 3147
[  459.311506][T30060] binder: 30051:30060 ioctl c0306201 200001c0 returned -14
[  459.340833][ T7838] binder: release 30051:30060 transaction 1341 out, still active
17:34:26 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffff8000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  459.356756][ T7838] binder: unexpected work type, 4, not freed
17:34:26 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = socket(0x1b, 0x0, 0x9)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
tee(r1, r0, 0x4, 0x4)

17:34:26 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x4c000000, 0x0, 0x0})

[  459.430265][ T7838] binder: send failed reply for transaction 1341, target dead
[  459.521017][T30344] binder: 30343:30344 ioctl c0306201 200001c0 returned -14
17:34:26 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
clone(0x8000003, &(0x7f0000001140)="0941bb5ec2e083cbb6c170e923e45439af6783a9ae26ce37d7a09b9a8eb455ab34717e6c74170ee34c876ab357638afca306beb8110cce980b639ba6923c091e552309e2f1a86296eaa62d865a15444753c9980274da2d5ab3f6f0c4a76cb95775c76a36bbc859184fe51e579dd3c777620259d53f483be54e31b635d9ff15fde9e096bef628c0c6e7f67b866a60eb1c5fe54c138b5f46fe7b3b1c32c5b78797c001d5785bb384f089333ec15b68c007be7e7ea7e0b5de94294dc201e89c393d89b46af12ae75420402db94395e167f4cdba31928be4cfd3784f61d37540e600eb30b0f4ed42a0d69fd93bc068d00ad90ff8e7eff6ba6f640155b2894f055c7d7e77350d5c83fe4accade7f5b7b7ea68fc148a75094ce9156fcc436d6079da148550bcf7b587f2a1e060bcb3abe38bf168f893528d3fc8239c95b6fbd9fb94a9b3647e7247c91442e2e6c049112f619470fa473890ec8293b8032aba3d009bc527e0ae09386382c804fa17f7067150a5f47ae8c445cd59e4980d31be292cadf25dedf4c7303147a9da1eb79967ab428566ccbd7ea53af2ea0d1fcda7faa0dc10c9f14c1df82099e9c9d09faeb50ff1a57880a29176db37d321a81bba54a2410daf52f1ed63a76eb4c5dacb5c664a459956b8b1e53b87296ac12bf111a1a29bc4c4fd7edaa128a3850457e3b287b9448a4ff9191cc2fe3d1123af74b0ac54f67c3ffd9b491fd282c78450943cf3d6e19c7f7d7f9a970aa6ffecd3b93069d9f5b66a93a9b3a169e0fd484c505b06040319651b238831b48b924436ab947a311825e16afef1feb6b03da6d830abb52d5f74a8007146673053e724d08948b3c05e6bd62c590a1913b7395528ec4e9e91394a2caa8a5d2f069b5969a094a6ab5b1c851672e65ddc54b0a56c02c18822b32951f80ca605d3ffca530d76c549d570ca97a96fafae2608d0dc913ba527bc3ee830da61f4c0f7267b4ddfba94461b6e66676ce2b75e5acff486b93f00b88e1c19a410082830369e8cbde57b0fa55b7c482e79ec77a70dfb4d11613cb15b718dbefbaa11100a3ae7271fc12189a9690e50048c247274cf47eec644030ad0186c5bb5fabda57bfefd66ac1546527dd92c146b51ea6ea982ec2ae62da6174f12d0cec3709c253498713c594da91fc69ced05ef4a160f11cbd18a2b6b80f71365840b271ec959f5ac6e1bb19259617fb012aaddecdd0dcdc9667b20950bc641ff9d295b8060a162560228270598964dc779a6be9be9a13fe522a77bba26533f89374d857da9c4749ca4774c3a23fe9a83b65ddcb5777feecfe742ad39cebfd77937053b92f0a83f9aa99c89e0bbf5e22758030f10896b2c247aef8047f7b29ab76b145be155a7fd2bb3b48c94eafe29e53c0e679204d059627d4867dc9d1476519d01aefb376a1de1ffe65b302ee4acfc4e9d88edf72f082ad3d0f1ef60d03eb85ab4c8852fb5e94f061a0f6e60bd5f725a7a0a08ecaa09226db22c87e1a2b9c71fc66a2402d0aa30ab56ec111eb7b8f1ae9593c1ef76c75c3bf641b0315ba680e17755e96432d10f08e24f74e030a3675c014b25b91279c72f369f022796555692ae2a5b6c78a4d8706568f34f3c2f1bf55394ef291443cb3600717356f49c52cb920bd9bf71d2f471b5ecb265bace71a25d2eef7c9bc32a4de21e256bceb4c7e22b05dc27bde71f23cf667dc3167397d8a3db67ebfac15352e2f1b1cc0a937461a330b99ae79b32bfd45820dc9d5ef6d4f02acec7b28351dc58208f557321dd0f8d0773390aa4582cd155dda1e6eae71c35aa1daae59125b2dc7896d556a1ebe57e78e9e1b7272fa621b0ab84a7ebad1fc120ab3d8d10b8448dd44f6f194c7b8cff8a13301ce1a8af2a97a79686fe35104d40569baadea67ebcb829c37a2845b0a940a5d1f9b0ae845bb76239dac4b5d0e503795bd90219fece27527fb04910c211fb08cb3411772edb4be555a46f826afe0015ca15fa900356920e0a9e4e00eab9c430155dacb507904e1a9338908958badc22e9d03da47e9c216caa781f527dc97bf74972483145fe757786eb7fc672c018e3eaf4874d9b43657243051610c134243c094e50c37c79e88a471ad10d1a1f3f1a5bdaccbdda3b8f7e741b279643596ed4923b4f28c92993438df0f7d83aec427ef328da8c9bd90b239d786022ec57c89bc5ea803ac23cbd348bb87ef9eef48f02540edca11e2669a85e1f5f57c27aa276533ab9c36dd021bf4e98fe888af3918ee4897e5ef0160734bc0dd89b37be4977c1b88cde8dd9ede60d6f7677e3389737d4da24847f754b183378931f69996b332f442908330e3d8710de23a38acd19e7b3d4577f295a632d880e6b8e48d52203e57445a6e7ef68b1c6c390fd957d7ab4a7dcbae8ab49407f763a9c7101ada34154bbe04587ce10019d4ee07b53c8ee350ac2397767c4019c0edc4212759d1c845b8ecdf7b30437b5ae73200c6455234d504d1987c4eded3e7ee46c9c9f26f8ff8c2ecf3e73c7eef439428dc9f37149eb7056669c0ae84efe1241b7da033fc9693cda47fd5b0257ce3a101039c5c8bfb395873dd21db4ee8a3e1f2ddf9d1fae2ae9f0409b7676474546bc153447ec496a28d68c951c8d5f77326f760e159167cb9988e2ab2f46f4a81ba6f4f4d1e2dcf35d52de3fbb0570c33cae5a5bf55c2179effb09caa53020cfc01e26b3e18a45a9c03ffd6d96075eaca05d5aafa215e04904947c06aac101f9b386437bdc892cbeadc41ac3639f192c2bef0940a7d5224cad578a3e4363ab7a5a3bf06d570526fe1a56d4df14af218fb2e65ea38d4fd1ba6a1c3a6853b3ca56407d5eac1075b2e69a561ed04e46134253fd730ac6288538abfc0221171207815b0e6dc4567c48e1d0c9d24dda9433986d59940a936f69925db888ac9b7f5fd5ea91072a9a1c22b35ec328e340c1749bd35120d16de904c801e64ab94c053e36a40f2c47fedd390905b6ad1bd705f5bb616e52588eb6c1dca678ff55bfafd1ed672948b0fa580f5af373147d843a6a91217cc9e14c9a7da2dedd8da07b7839fb7bbba84950855e7687cb9d27f10ed87fee2075e82e840098e479026a3db8c6ac459fe5e5a234a3c4d382f36c1db1f6be078c227a3a2601ed7739a2a89d5086269ca266ed783e0df626d2dc0ab48f7cdef3ee5a5a07c3385543435f07ed5237316ed58ae970a637858ec19b64c2b6e05365ab0ca6823378985ae0fd06bfb6f7d905e4fa088840dc2c1466e4ae6a58927ebcf8806f72fabd9d9cb00e5a1ceb95d1e64dd5e8d282a474549630f0919c1c6db12ca47dc7b6a17e412bbbdbe77776220ef45e8427903754161b6e0fa63a44bc1a11abcc6ef7dcc538d4f421e2c5f92ffdee3846cad7a132320d14093d0daee42e1f044cefc3c24b353b70707fdc09a4a131b58ea90b4e13291bb0ab556902771ba99a4669feaf4866c866139e38531f3b0354bdd577ee296f700f1ff89d2ff91cbbaefb760aff3d4db52e23b311591164fc81f45d17195e4055795ead0d13c3d5f6fe5c4a9ab7fcf2309d813ad45e3dfd19a13ce44d6cf89440b0f60f4cfed88ec9842cfe51f03c190ac74525c4b094d9a827c80f24a1deaa8c8a849fa5281116d3ecb9ac66d87498f9d7f4709023093d7b48b844f06238a33c0e908fff84a35cf35ceb0fd9b5f2799d3bd460fc0921fab9ca2081fe24adacc8e350183d8621aebba0cb88d60249b6d9ac8f0a21cfb5165d678892f8cbb53469ffebbab9af899de3997636499e681277200f5d1eb131f477ddf6c2032278add450f974d5fdb0939fa68648f09923a308b4fe14e33e1894f4b58d8e5ce273975395a16ec6cececa8a9723646ca8548665f3b06133b25e1da27a8d2dddcd8edab9f83ccef6f4d6e6098f7e7e404ee1a8103ec78f578e9077988697da69d582e5e5507297abedaed6f9447774ae2761a216c3bf0d77e4f61b82b721fb23620f319c6960ff1d41b12bff7fc52ffc9ce0eba1b35c61a959b78ef5c6db14076e9bacee3c1a54787d75406fea1d422d61087029cacf2cf3c13a84af5908f8b65be96b11f81bd166bcc019d4bfae1a8a87648ad9dd4935c6a8dfb32d78994cf748fc0653765d9e653ebb4be843b55d7bcb4e5aa8be961baa4a4ca60b95c51ab311550991b84cca390529a81785d154462ab2b002ea6b68837c37f550bab832155e9000684088f335c60312c3f1a3c5d426b915c985a2b67804dc7daeb8b727b05b6c16d29a2e21d2b28e68c244ac42bc86d9dcede313ed794b5dd85d243918c4a94d90f176072ea2f6c7e4328f50b130d846af0f55c181b6a38adecf15002670253161df6378ed312bf6502de7b3a2f08079298fddbed95dcb4fc5eed576c38b473697e794e3f9e3e42e16cbf3e07c50ebbb07a5837dcb4a3041f46230507988c97418feb4a26f2cb2f9ac42d597711886eb1888022fe2e609db926e6ebf320c95a33c9dcfd3bb6831f1145e7cef5ed8beb2a0e725ff246be0f5de47e7edc16e7b3693a088a6bfb36f8a69394d95a04ea64002f7a49ecfa68af245651948d45a00e3733706d078f4d77b935303a9eea42af3951c428e355e156aadf84baac2ebdd61794b839c908a5a2214b5405c6602a1bf1624ef00c6196ee336e1f84cd204a70545b806af653534ae2ce757e8ea2adffd7fe46d2ab2e84c5644ef8beb6cbb8bbb99bf1ead93a46f9944b0c38750856d1475f37a6ccec4ab96548fc5ac9f8f4898cbbb15916f7e5b3321ccabb5cd33b258556d53b6126cef47d6ae233b8873f882632866e24c11d1a158171a28b8f85ec3b9887262cad0cec8bc6b504d7c683408a339842592f118a644f26e8c01e337942301cccc6f9b54d3a471bf26481666b4787bfb2c6dbf18ce32f99c5f6b36afea21b1e2b607c823985539654056dad255990af05bfab9119ceb61377f049474d4a321529057dd7eb058dd88ca51cd58576b2e683ad6326569e00b96b0e87e36c5a42fa9ff68dee502e0aad1eaa7b2a8ad54dc3ea2111c23ff9c83ac3152fcacbe8b160d4dd917e53699984fdb64221f30b73717828943e9b596cce3c0b16fcd4ead3d84f2d34dba391fe7663c8b2c031ccd2c1a2bc83bda7e3183b0975e2ef80add77fed218495b491635b925012b0c107d8e86186060fde1bedddcc63150572a12b4d996ba93c0e0f61999d1cc43d62ed9b9b6e288fb32ad2c3558817872b962f057dc74a60b1ba78302cccb5750a9266a99c55813a6333b67886ba20b772c32a759f84c1829c7bd51afc4e6e835abc7e9d55351e2b9c1d0db2bd1d759dcc6ebde9b3ad2420494a40b5920698b9a38b07272f40df989cf920fd4cce7a30f7ff83e902e8ca5b72844b1c7f9571f63b5c9652cd569b2d7694f3c2d4071394df3aaa4f97a0e499c0f6965b5cb808c53df1ff691e68641b19279899c413e808f15b54cfac64ce09ead96ade276a6ab8fd0479a31d9157d2d70cfee5f44cc3e2dec1a40bc2de145371f105f29d0839b06343dc3e32763074cf787306e1ea44fe0298cf4eab83800adb641d049c84982bd0cf1ea30616d3b2a2d0590baa0e9573a584b21532585a73492873cf1e1f811c10b841e05e84bf3023f3c742fb89aff09a9fe94bd4fd7c403ee0aea8bc3f41603f9905a0d3b445de9ca1fd56cd87dde46f864585b381d22b0827e3b2c784d408de5692562c1cdc45aaad89679e5224dc32f5bb13e3e64a94e5c7404cffa15fd0ac4f8743abc9c4cbd865a3d4d27648ece4ed67a48e2dc31d670bf880000000000000000000000000047c4bf53d130017bed839020804982c66f10e1c40c6c417be9634c0eb30a7ab84f0bb92e6f2334bbf5634cecf7f72c165b5625783c7feec081b2c40aed88402709cbe8fc1cd700944e4b56712d54b9c50b19268c1ad6b037c1e4", &(0x7f0000000000), &(0x7f0000001080), &(0x7f0000001100)="a38db5955574c75b39faca")
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:26 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffdfd)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  459.571485][T30347] binder_alloc: binder_alloc_mmap_handler: 30343 20001000-20004000 already mapped failed -16
17:34:26 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1a00008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  459.650758][T30344] binder: BINDER_SET_CONTEXT_MGR already set
[  459.676462][T30344] binder: 30343:30344 ioctl 40046207 0 returned -16
[  459.720211][T30423] binder_alloc: 30343: binder_alloc_buf, no vma
[  459.751032][T30423] binder: 30343:30423 transaction failed 29189/-3, size 24-8 line 3147
17:34:27 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = dup(r0)
ioctl$IMGETCOUNT(r1, 0x80044943, &(0x7f0000000080))
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000140)='/dev/rtc\x00', 0x140ffc, 0x0)
r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000100)='TIPC\x00')
sendmsg$TIPC_CMD_SHOW_STATS(r1, &(0x7f0000000200)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x40040}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x1c, r3, 0x802, 0x70bd28, 0x25dfdbfd, {}, [""]}, 0x1c}, 0x1, 0x0, 0x0, 0x10}, 0x94)
ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, &(0x7f0000000240)={0x8, "02d5914f4f219e906787a98e020f8f43b5aa3b1fd1cf0bd3ed6737dddc77bbf2", 0x1, 0x1})
openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/hwrng\x00', 0x80, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
ioctl$sock_inet_tcp_SIOCINQ(r1, 0x541b, &(0x7f0000000300))
setsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r1, 0x84, 0x13, &(0x7f0000000280)=0x1, 0x4)

[  459.767504][ T7838] binder: send failed reply for transaction 1348 to 30343:30344
[  459.802501][ T7838] binder_release_work: 1 callbacks suppressed
[  459.802507][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:27 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x60000000, 0x0, 0x0})

[  459.879841][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  459.879871][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:27 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc14147696510bdd89c4fc6f723cf6d81dc909dc315d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
setsockopt$inet_udp_encap(r0, 0x11, 0x64, &(0x7f0000000180)=0x7, 0x4)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
recvfrom$inet(r0, &(0x7f0000000080)=""/150, 0x96, 0x100, &(0x7f0000000140)={0x2, 0x4e20, @broadcast}, 0x10)

17:34:27 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffdfc)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  459.953490][T30643] binder: 30642:30643 ioctl c0306201 200001c0 returned -14
17:34:27 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1d00008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  460.030193][T30677] binder_alloc: binder_alloc_mmap_handler: 30642 20001000-20004000 already mapped failed -16
[  460.060514][T30643] binder: BINDER_SET_CONTEXT_MGR already set
[  460.069427][T30643] binder: 30642:30643 ioctl 40046207 0 returned -16
17:34:27 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040))
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0x1ffffffffffffffd, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:27 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffff6)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  460.076575][T30677] binder_alloc: 30642: binder_alloc_buf, no vma
[  460.102970][T30677] binder: 30642:30677 transaction failed 29189/-3, size 24-8 line 3147
[  460.129097][T30643] binder: 30642:30643 ioctl c0306201 200001c0 returned -14
[  460.170318][ T7838] binder: release 30642:30643 transaction 1354 out, still active
[  460.187516][ T7838] binder: unexpected work type, 4, not freed
[  460.203916][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:27 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x68000000, 0x0, 0x0})

[  460.228829][ T7838] binder: send failed reply for transaction 1354, target dead
17:34:27 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x10001000008912, &(0x7f0000000140)="a0c09e7d89683b12041319613dc8d274e061b15fb4000000000000000000000000000000000000000000")
r1 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vfio/vfio\x00', 0x80, 0x0)
ioctl$CAPI_REGISTER(r1, 0x400c4301, &(0x7f00000000c0)={0x1, 0xf08, 0x853})
openat$cuse(0xffffffffffffff9c, &(0x7f0000000100)='/dev/cuse\x00', 0x2, 0x0)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000180)={0xfffffffffffff800, 0xa882eec, 0x8203, 0x6, 0x7b, 0x7, 0x81, 0x1f00000000000000, <r3=>0x0}, &(0x7f00000001c0)=0x20)
getsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX3(r1, 0x84, 0x6f, &(0x7f0000000240)={r3, 0x10, &(0x7f0000000200)=[@in={0x2, 0x4e24, @loopback}]}, &(0x7f0000000280)=0x10)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

[  460.316700][T30785] binder: 30771:30785 ioctl c0306201 200001c0 returned -14
[  460.353785][T30785] binder: BINDER_SET_CONTEXT_MGR already set
[  460.372850][T30796] binder_alloc: 30771: binder_alloc_buf, no vma
[  460.395884][T30785] binder: 30771:30785 ioctl 40046207 0 returned -16
17:34:27 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x3f00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:27 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffdfd)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  460.424328][ T7838] binder: release 30771:30785 transaction 1361 out, still active
[  460.437432][T30796] binder: 30771:30796 transaction failed 29189/-3, size 24-8 line 3147
[  460.446980][ T7838] binder: unexpected work type, 4, not freed
[  460.463035][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  460.514118][ T7838] binder_release_work: 5 callbacks suppressed
[  460.514132][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:27 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x6c000000, 0x0, 0x0})

[  460.554190][ T7838] binder: send failed reply for transaction 1361, target dead
17:34:27 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/autofs\x00', 0x50000, 0x0)
getpeername$netlink(r2, &(0x7f00000000c0), &(0x7f0000000100)=0xc)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:28 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  460.657920][T30913] binder: 30912:30913 ioctl c0306201 200001c0 returned -14
[  460.702980][T30913] binder: BINDER_SET_CONTEXT_MGR already set
[  460.731803][ T7838] binder: release 30912:30913 transaction 1367 out, still active
[  460.741793][T30915] binder: 30912:30915 ioctl c0306201 200001c0 returned -14
[  460.763362][ T7838] binder: unexpected work type, 4, not freed
[  460.779494][T30913] binder: 30912:30913 ioctl 40046207 0 returned -16
[  460.787203][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  460.828263][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  460.857235][ T7838] binder: send failed reply for transaction 1367, target dead
17:34:28 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000000)='rdma.current\x00', 0x0, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000080)={<r2=>0x0})
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f00000000c0)={r2})
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

17:34:28 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:28 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfffffff6)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:28 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x74000000, 0x0, 0x0})

17:34:28 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp\x00', 0x200000, 0x0)
ioctl$TCSETAF(r1, 0x5408, &(0x7f00000000c0)={0xe7500000000, 0x6, 0x100000000, 0x8, 0x10, 0xb5, 0x9, 0x7fff, 0xffffffffffffff41, 0x80000000})
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

[  461.014790][T31137] binder: 31132:31137 ioctl c0306201 200001c0 returned -14
17:34:28 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  461.058770][T31141] binder_alloc_mmap_handler: 2 callbacks suppressed
[  461.058787][T31141] binder_alloc: binder_alloc_mmap_handler: 31132 20001000-20004000 already mapped failed -16
[  461.082403][T31137] binder: BINDER_SET_CONTEXT_MGR already set
[  461.097284][T31137] binder: 31132:31137 ioctl 40046207 0 returned -16
[  461.150471][ T7838] binder: release 31132:31137 transaction 1374 out, still active
[  461.158260][ T7838] binder: unexpected work type, 4, not freed
[  461.165852][T31141] binder_alloc_new_buf_locked: 1 callbacks suppressed
[  461.165860][T31141] binder_alloc: 31132: binder_alloc_buf, no vma
17:34:28 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000080)='/dev/btrfs-control\x00', 0x10000, 0x0)
ioctl$sock_inet6_tcp_SIOCOUTQNSD(r1, 0x894b, &(0x7f00000000c0))
ioctl(r0, 0x0, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r3 = openat$zero(0xffffffffffffff9c, &(0x7f0000000140)='/dev/zero\x00', 0x260000, 0x0)
setsockopt$SO_VM_SOCKETS_BUFFER_MAX_SIZE(r3, 0x28, 0x2, &(0x7f0000000180)=0x3, 0x8)
sendmsg$nl_generic(r1, &(0x7f0000002600)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f00000025c0)={&(0x7f0000000200)={0x23b4, 0x42, 0x20, 0x70bd26, 0x25dfdbfe, {0x6}, [@typed={0xc, 0x66, @u64=0x7}, @nested={0x2158, 0x70, [@generic="3f6db1d46bfa967822d6b1bc29a7c31210556512e88156ae6ca1343a980219d3c4dae5ad09c1559d7ee143a87e6b578a61a2d9c9e4cb22a9b810bf2a61d83a90560c18fc7500968c408b2fb4a72402533dd32f5d9241c81d254bf9869b508e2de83b6577982fa1d2e07ca1b1496fe17d4eb267caa8f8979959ae52b3f9ad177a8283a11bf8e7bdb9cb2714b24a71cad36e9e7269acc60cd625786dd5af1b528e2a634333dd39bc0202cecc833e47ef11aeab0657fa7abdace8732cfe240cad6c10219423e532de48b0c597b1bc80aa29ff27d697a51ff1aa108ecceff53404a6e9cd392859777f6dbb526ac5b2cf81349e2e758a2a3a8598899290292ddfd1ff85e975d8c6cce18ae789fc109253d38edbf8222b1cef1e1b23f9068088848ee9e61a466ef5d1487b8eeb24195af221e9430246cf192c3ccc3186c9fa4c6dd0d5e8b5cd424c72cfe7ad2e3dcd92ad04753bbd0e0a4ceef0265df0c562511605ad0b06509e2e267e613ed16ae7bc9ce3b9df50f365c53fb8f1405d1582dd6e53d2e29e7f2164dbe1f1891e2d3d2478bfdabf328c9021385610729a78d5c6ea1d3ecdae6c27b37b04d6ae0ce6dca8a62015965655d36ef17bd28713579de7322d6618eba21e088e6d5c2f03428e444c3ad7f4cac4c33117815922180f25217f0b7b22be4d0f70e7252eae02bb7db7bde90bf1cd668b151eb07bc55e2f00c25551aaac41f402572de2e766d28783f4255de249a02244ade6aa73e73f4579c9b2d6fc99263981356782d2e4837b717026af81e2a78b6f55b533ca923a53bdb8b4d976a508cbaaf97403aec02c538ce0f0e2ebbb4168ff4cf20472f855f12f17a6a543e3ec917a04e36613fc0eadef09152815027119392084d5ea02720c02e9d570a894c5fdfd261bdd37d3830593ed35f8b474bc6864ec87859a0248488e155e0815e6d82f0191b7c5979ca14e20fac83d5a12fc0cfe687c982a21a893822c36d30851fbcded0310c45b4f28c5a10cc8af7c1880b54b17a027c60b82b73b3b5bc7bd5b96e5bdaaeed14d8137cb5997eb537a1a9528fad67dbe4aa71cd86a990a4c146f340143c4d121b34a92e16d47b166ff56b299ef7d14dacb5a92d0ac8fa1916d03dec407768c2e5b387ef102f973dcd5246fbddfa126119261b17270a675cc984e1cd0e4e7d523ee1cfc00058c3ae877a41b93f6e47e0d8c405155816cb1f068d5301a2ecc2e7debfbf4668482eb34813b0618ae6a23ff8a0c028f357497fe0e2f49e00f0a68ff63d5278c67f50abfb4abdb94172962e70fbd9d7e5201be0ae06a42feb5d6bc6f32c83f15db3b19d444d2f5e27bf081de22886203a03700754961639b3a25e7ddd6fc8c8f4f1e10f0b3584460932dbb0204b964aaa3105f9b921b98a11a26f891b0e538bfdbb4fa3587efe72607f601ff43e8fa0d9144b529202986bcdc75da536d578df88110b91fe26bc5086f3540a4a9c7a22fc89f75187febf9d1a17eea7009cf9c2114f9ca798637c8a2f61ff8e6517448a4128105effe94727e2dc7c754c0951c2e2a2e9081bd66b4a7e5039850e94c4bfcc25bdde495b9991dea24c765735fc8d44aa6c9933a08f774c81577a1642a416d2f3659e7cea775884d15ecf5e40e8874005b2319e1b6bbb936c53d32919e29e4441bcf8165bc76858d8b2c11a83b102a5e43e4a9c622d3424ba7da2e6888b96f2c81e15cb831646fe65e5795da3135510db65f1577bb7a9cbbbffbd2df49098f79258eb88578564187ae0bf2d588bff898d80814104e83fd8ea2ac9293f92ec6d43abc101b601ee9b7bfbb989be5361b085981103c1d358525580d057515ea0f25b8e4c171de39b30b80f99cf3d18c443b914ff131ffa144e841a5b17b8c87d85c6fc087d41c1d864de5f04567883fa23cfdd47f0a94bd6c54ab8512fbdd6d87c7347ba4f1f267f86cb7254b9b7b2db94474c1dd3b4752899afefe92c0062f7464ec38379718cdffeb5543d3dae31b4467a3122f0b3d64552974277f569581f81a7528bb67fd879fa00be82c4f8e9f2e707f044726804f6d6a0c99b951fa9092960f334c7ef73d020e7925c62a5cef3df217b66298be4913da0a5ee1a2ddc16ac6a5b56e45c09b8aa724bf5fa806d5708484e44264600d6d6be9961ab0720712f956e3e97e524d39d34a12df5bd30e0902ed0f01e310439ad9399ddd20fde8d75208cfcb719fb86fab0c35e40101a53a2e36a8981ab63ecce0c782fe55577c2f549a2de10dcaa1bc6be1d35696b44b638c57a54877bc43257c4ee4342e6296d0e6f127f5a8905099e12ffef26989d6ef9781535d10b6fad72ead5bce123daaf658b98d41c93419f407856f08625c27446d2e65bf6e60bbc31fe33b944722872ec56c9211c37dbc921cf1c8e81473c3ab27aaf7e5211ca46ca3385cd1789b8b628a4e639900c09e3a9131710c181acfdb385fa36d54766b0617861b89f06cca1f744bff84090d469729c6ff42ef2a52c1c6e9be96250079d24fe55751fdd1eb1a8c540549ffdbe69af997fb3e55c19d6555dd00a90c519599e1ae797a6715433b8ae349c73248802af931ce780f564ff68db11e4786ec3b742fa6df152e0a901f5fbcef2e1070f7c57becb95787154f14085caf3d3091c72f5e1774664fc47a1f9d4967c0a896a6fae437e77f19657d9e2a68016412dd1676f1ef3474085498fca77c42c53b4969055727494e9f9f81e588a8abbe406a790136ad36eb94e93583b42eb63adb8ce609a80f29a31d86c4c42c9aec9ca580ea103ea203c3c582fa8bdfa24fe8d789151123c884f74ca654cfd64b2c9fe15349383990c43212488f33c771973b862276575b5a59f56c0cb031c2877a0bc16e63700b504656d771236c36eea52693aca01add3811a7df9c005c99909b2cca4e4851a692514d39e653337589297fa04953a3120674a3d6575235524046e2867c5b5a3457127056d0c0159b432063082276e399ee06871c037b15a343ff538f1edd63af12066aca8e27496beb462d8f7eca9b7a71f6cf3a5ecd7c0dad4a4bd1ec317f348115087c023ccfa6f9337303ca4dc18327d33675ad8ec73250145d7b7a164accd9269fa61ccfd680b589b889e226e4e30904cd9fe04cc1db59772ef71eb162588c445705b357abb55390942df61acb403c946d4c9c71920c33005f9ed26043be7f969735f69cad89648df5d3fa4851bda898268e398dfc622d30059b42e6953b96efa018f43a769e55983e897e018061d4385bca9b1c4a172dd4c743381944523a0989426bfe8aaafd2a9bec6889da82189e6a6708c18c9318f67ef60c4f6b2a2d8f6510a076c78052c450f0cc138421349a029aa89186ff59d9456482f5c6c8f03f0359081e0769a98dfe2e76b8d7fbaa515c2b68f37c266b94527f2517ab4af4eb5ee47d99586057757d9352162bb102fa245ecbf8ca81c441ba5f3f3f7d68623d014006ccee83217e25cd734092368631adb4f630d7332ff2ba4a501285fc5770549219ffea0b431a20c49d1995993f0c5dbc83528213b7b8a272436c0bba75b19dc2e598180e4ff83ca908d7b86b08ce3636b7dc25553522cd5f4dfb7efff4942d10c4bd412b18680b92824b8ea564390c27ddb867118bf23ebf738e3f226597feddc426fced6616ac5158493d0cd7325630973bd5d6d79c0bef36a1c26a474ab1b3f63b89fd2a547da06c63aac58323fb72c0d2394efb5d86bf533d1fd5678a7173bd15c875a47f6cf2059cd2fed9971fa05964b89805d5574d77c75f694cf78a437f9b680650ea349cd3c82ab1be97c2b537b2ec98a639fbf9efac4a83c37350f51fe1930da12849ddd622d86b6eea5a05bc1c703282750e43abd6efa43df0fc3bdb409cc3795d823914ec8cf6f327aab25f960d98568eeb0cf61d4d17af48895ff952f87c462abb6dc005ef338eab264a51acca6923ac73b6c053a49192a77552068d5cdadfeeacaf8631de8703c1330d5c86989ba2465f2a43e5a31be9bc3fc07e886ebba1201f35d93ecf7cb7d2e49a4f573330eec6b57eb19c08bca36e674dcd45c43963cc700537875e6a036ed9eb40f39db62d30f0bf87029e41b4233cf0ad36718ee739e604c0d39ef30dc2550c90082cf6496cc2a50c4aef0d0863da8a9fe40fb6c3a0c1c0d6514a7807b75e92040b2e81fdcee041eb3ef3584024a7632cff333e5df629c80d73ce7e1dc60ef986a6e0ece7e78dcbd29ceac9aa72436224c38619bf81a484fc82d199f59a1c642f58670757cbdda750bf3680e1510c284cb7f6640dd3223e2221ce5012d3a65558c3d4bdbd018afbac3d6d527090ec2d173f30ece7497ae6f7528a2bc33f5b6c83dec08ccd9a38fcc10b2e36f757534d0d4791dbb5c20bfd44d97fe3284679c212019b2673439263a1e5f9442d5494ca32686683282b6fbe566908108adaa51e29f29bf95c312cbd01b58753ff307e9ea8821eb61e39c2720b15a8037bc14b19a81447fc8026f9599300f6048b0ca019338df6920cf5bd1bee4956c63f5e9372c575bae652ce90f86198bc91c3b96a55ce8d0858d67a6f4da49604767b3c966835654d2e9be3b67d052d4835098e3acc0e4f1b856c54d99367a59ac461c9139cc6dc5c8bef17ce1b4b5beb1e9180dd9bff985eb7f28c67b1707b71f518a40744db38509d9e09cd11ea6ca492c462c8c636ebd175e606de601e85a9dc3cca95a84a8771b361f58d25bde6f7c81cbf7b37ac1fa13aea50d34ce84e02215da20ab3e31adfe76aa1cf011a92f12e2bb1a672150b7de2512fb15368911888f0549fe677fdd1892f9ce23011fafb9ab7002cabac86cd7ae808e1b2efe03d8b14323edb24411dc1fc7e640658af3191bfbb82caa117cfe81da05bd298627dadd770a7f07167bde559c1746fb8f605fa35a7ac60b78aaf1db3c3d4c880c003bfff9ca4ab486b443688c63af65043d8b99ab72c449ea7f3356882e87650a42156f85e9bcbd53a4565f22ff9e5dd57b2a2273b54b280d6921f2cb1d7a46d95d4f3d5f012e1a62e1a5c86d3cd53ef63d3b219c00733430e77ad94c7d1da85b8ebc158d25b4f6c16d8b85c74d1b0fc094e544f7f2cba6cd0a13134057989a78e80ec623823aa901327f805c7f7240c1fcfe4736acb566bda7fecbb8cdff122e9e30302d206fe36e9c93ae3db2a5e91d6e48818dc82b725a8e9b9d3a983d9829c25beda136cb0896d139a152005a2be1e1735e368804b22b51dd284077ba8dfd79259d8387d95cb3d3d422caf03fdb892a7ab026b3bd958d7eae610c97fcad9c00790d4dac5d65352840b4fdf81d67d071302f07e3a4d2d6621636f4b39450cf846537be5d1d558e6a4745b61db7c7747a8ac639978cf58cbcd525aaf4ae82f341df201bbae19283bbce5eebca9393c292797ac3f45e06faf86f0d6f52072eaf4da4feeb0293d99913d13914a44d708ceeef450939f6a9e889c450d3608395697cdb01e621cf396c85c90490221c5e592ac116d3fd42343efca1a856d78689f7d14e8887baea68fbc781df5889dca5ec67ba766cb993cea075faf40c23c48e33ab32053ae85cc3f975b4baf61cf40bf7964417e554b18d02aa7fdeae96deef1c03f75d7ed1c6366019d87745309963ad105be0a7fab93a048208e71dd036c8fd01a9700a151b3d72a611a82f2f991c4d45bbf910185725c20cd6c14309170b6bb9228342e595f8e4a281ee1d35191f43e89060efdaf73ed27cec114b63474dff5f47f1d0a89e93615b02613ce1f02df352f5399ae1c65a3d7596fa9c28429", @typed={0x8, 0x26, @u32=0x412}, @generic, @generic="8dc6a5957ac1957b2924e752eb5e74a4e4ed8e74061ce690083af5ec72159dc929e8884121a68e5bb98682027f217b515d4b50ed52c068cb732f2ea98faff1b5066a0ce5c76323834988d47ac21a0553c3c0bc2412733852328e02a08068f29de0c8905129ea76cf4066c77aa200dc2bf823acc4e20d790dc1a4b3dfa244883ee5ee591454442b7f1dd50891117ee17d6982046a9c3b9442735933748258775bc0e334c406cb7c2dea9335d3fdb20fdf70bbe28c19d3508fcef07690b4797b15ab1dac265c7b31688797623f8c927ab02a69fa7118b4ec0686a0f7eb58e4e2c020fbc1f0", @typed={0x4, 0x3f}, @generic="2a9902300c41d9a56e9e18f46d17545af057f969fc16285ad8f14dad8901210771f639dc24d68881cbbab6407136483ebeee4b1aaefb3cb09a8c3dd8860fd645eb5ae3b7825033c24760912ad84d", @generic="c4ab5ca6c31edfd2cc4882f31afc57299e6cf1723ed867192cb98def08cdf32c4bc9d01fe2ac64bc74ffbbf971119272eed0097c52d3064fc543cbf612a91a3d4aadf721a92d2f8d49d444b702e4e2b11ea3f2fbc53bd32a4d68e9dc19c3c6a6e51ecff593ade1fa4f970eb70c929593478bf5922c118b1e15833a866da6ccfa07c410ce43c864ad18df7db23392ff2ff3b6026e46a2e1ea2033c3d0b9dbd7758443bd201ea0983d0cbb0c213a7eb3e9255ecd1fa55706b2d1e0908593f6d8e09b50bec3347607fece2c631d8bf828ab814b37f20225260a4cde747c4a16d83ce5d62ed1a4f3920bb4f0cbf1984a175dc1cd814a0194eacc002f1431f5b899ca145322a0a98484add6ac4510e70433337f7a6d0a1aca3ad39ab1d54999af7618bf1995165a91c3c68dd19d7a7e7cd40f12dcd20b15ce1f79593e29a382b3333901498a90fe545328ca17a0164700fcdba61621275053bcde7fffdbaec3e7ab45d5a1ed7acf3ffeee2fa12ca9993ed63adf37515ef7342d4aecec78d7475dbb800a17cb5c59a7b38cfa417b5e333289da731586b582226ba83557c56b0c47e6445b72d4d776d7b35fcb9d9d46d52377130ac7b616539323f1b5677bf056fe847f66534861557854b8c2b1504c682010ab302a1eae3ac52b817ae3d881c9b155a3ddead3ce5542b1b985fc09de77bc2e8c28ec5dcfc98f4c76ed7511c7b289deb05685b4474e2ef36e3bb857f7d944e332cd455f64794ff322c5ca1a5d6442f58a2ce876843275a32b21473ad76ba0216d519c3e6b9edb5c7e7dcd42d3c2bc3bc35b2d8bcd47c569abb732c43879c79e8d1cb9ccdbc3c09cb3baf4f0ee398e0fc08603bce4462f25892702f2f5aa1a1149b2c6142b5337582aa7bd9034778c6a2103af57340b5cf0a249a7e6e9e9dad0aa5113931d3060f679cfc6378e074e6fd3886b372fe2b1b0b47d790ec84feef904e74d6d9913490101c8b47ab7099bc95c32d9bd4ac4358d7288c41f8882ec92cc0a5be57572e097693bfc38bef2341a187041f961769e724461f8950c13c8e1485adf581971362cd1ec48cdc2ba4e31b3cfe50d7b7061cd5831f9964b456672030e23a4599e54e1c54fcc3eebeeb2257f828b0994da814ec14f29e8a6558ced76d663db79a9597fef0a95c485ed44dc0643806ee25f30e6116f48bedb1eda1afd91dc778c61319269dbcb64baf11391b2e03f597660476d72600005d7f36dc18f3bf40dd7af8003bf3afd4b8ba52133d16347dc6ebc16fee6fc45380fb14c9c7dfed6bb6c032ad54ae0734b689c1c14d1f4dca392718488c09070dc7f8f032916eaa99387829f902fb35828d2affb34cea6d5c83dd8123731a2f45e13f5dfd6a9938337b47ef17f7a5f009b67e53e6d9ce3d5b83e1d266c91abb75a6bf07c0e8e2df6f67c84e147a79b2663a253f90d3cbb2eb7cff12596f86f8a8ea2e631623b7a86fc610f935282c0ade9ed4ac9e5d8565784f9d2f20ca476a018a70cff5d55aaa13943590603c8a427aab158ab30cb61aa3230bb5b1205ec14743b411cd005f3a04f3772aba7d486800f7164fc8a70824524c6bb55a0ce2232c33effd5455ef740a3d3c55469333d7a5d691ae8f7ed78b178404c53ac240774d4b72cc68f846ea1b37a4a19957bb33e18fbcbed0ff8ab89a302316cd68c7da4abc42f3ba9318ac0b766520d3842b5815e160d9fc4af19a68ed9b6a828b732a64dd2edc144e695ba001b74313cdfef3329d6a05f01d958eab743106f94c92245ea8541b6e8beaf76f2e99f139f3c57e34561ba605097fa6426d92e3496c421aaeeb3904dfef58a28c7cb18f3265face941983eb08e941537d0c0969d06db46df356cd9dc95ef343ccdf7da695c48a0ae5e0bdc2617ce97a302b0e1cc4a64c03a33bd7a39f48aaab9c3a467e72cfe4dbad72e8a73cfa0eb001cbf993f04d8ce1dcc55d7d7ff9894279fc21a9d1aef9a611eb2f02454c8ea00d57e551316b85c2520b3f6085fce51542b2299cc43b7bacbfac1fb08cdd305dc8312ab302a04c4721a36d5e5eba0d523160534c4d6b158e15f9dd8c1ed8a71e43618aec0809843ba585183cf2fffa4267d3e59b96863b57e31f2f42093a72e7129bd32721739242842db223cdd00b01357ba6de6b9743c6dae87a15688dc9a5308646d27d430ac3462d465e3763a408deba878be644a1c497c9eafc41ba4ca5365a0dd5025c9540bfd3678145921174dec4fb2161866dce2461baa467978c5ed7aea1e47fb07fffb1a4f87ebb544c48d2087922873e58b24dd87b68776afb96289b4c9fde09c88dc5cbd60ecaf4926e8612c53ecc2c486b80a161ebcb056f0192171b527419090b2092ab14e7afe6a23442e8458dcbbe006d6785e27d3c0798385e67dabd12fcb2e063bddcc0ec0745414f5be5205b084d3e37f335f566ee6f9e9d25ad592f8e41c1f5e721e20e5cb14b8fc6c17f4bd13a02473397bbda8b11d66ca9106de6fd889355db883a50149e1ec73d7c8eecb773d230ec9323588895416892743733719e832ddc24b88139d52ba5b72a56a89b10a4b707429938fe0cf66a251a17696f06a1c6960f3aab05fcb6fdad11a2f14fc7de19e967aeeb20ccf90fdbe46e03aacc76788d1930529efb8d71afdbe8353eb445cd4afd782afa9ea664ebb28ec95907ad86dd4b47c00d8802ea1a7f05d8c86c9759b6eee80c481f7a9f8c959c809a4bb24e4f3b4ace592bd11fbdb116fe23fefbde550c81c11a26dd425facebd9df614c451b253b27e7a3d27ecceaaaa1fe9a25d90afad6df9c09113ad35c32bd3cd5129bb5732f8ea9585bb036f75c42d5a02ce1083c6e70ae6a0930d1082d051e333531b7b984a0efcdc3f0097d4bd983ad24b31668557aadeccf497a301ccb23d9273f8f4b4d20aaba0594b4dfdf5cc1878860a9fb0d5f9f8d46b681cf23ead440a5cce3fa32837b65e0dc05cb9042b15225c108af49bd8228889a24de853533c3e5903da737a9ec6638afde378bb1ca75a4e09df5970a07cf71c4441d1ef30874d19c2b82611c33d9593df0c207309de0c198731f05947533d210bf1ccb9b1978300eeafc70f98116d465b0ee1c0a4ecebd6cf2b6c2d71d30da72f43d6196fdd593e45d1060de09fc2f4664d6eb448c2d39b7ad928026be003f1f1eaae4633fc465fbd7c5ef694e122bd679af788b18bd86847780788e803b6f7702bb10655df632c805efdc5512e2acf1866ec3eb157baacb2424e58c39281c3bcab690488c6410e29fd7446cbfef3c1b2e9a8b251862112a7584a22b9039572b420e0f6d9e837d7f828bf96a10eb0d0d78010b0514e697d9549fd4bda541c299fc63a28dcb54a8015942ff5e4ba0efb606a3bb3cb90604c233610fc04f2dcedb14157afd405da381154676d0df336538eeaac5ba03bd3be8eeb4bb6f292a337e48183b76373fa76797bdca1b812c218f32620e1b52f792296689e791c67a16a04a2ee1c6c6c5373a86331961c29aa27a4edc72904b43a2eee1c54b6b7ca0610b08f3a0344c29a40702f5628dbec0fa499e1473bccfd72e1cdabfd23778b8a1a86c062012c6cb0bd5bfc24ed1aa514b2d2829a9345449d497d487a0f67be0250cae7238934c51b0b5f05f4ccd300ba6e92665689ee2a24d2bdd66a6e075c12a1f776147c80a2afdd69d95135b83fbf98e129e50d51dbb6475abf10c97d41a1bee05a51619385a184f92e940b48b7941dc07483d263af007be69bebdad4b1aea59f6137edf15e045840d7081aa8a44c273aaf3723c74d8be5d7c22a6065e15e9f6f81295a9fab97a1fe3114836c509f64949d85aecc86cf0b006d17b5c4409c6565dc79741ef3887dfd0ae33c4080f19f4e7c5e0bc4c7bb5c5302d3d1121446ef6876dcf7b152cdfce6142d17f34c5ee51cd00243e251db227261889d7c190d1b96669af9d350fd619195bb9534e5d2e629688107ed174380e8c82996c0274c44f5a99b09709f82e21b83565bae29b2689e389b6b4c076196e4870860add6f2ab5941ad8986348ae14f1ccdfe502919793beffec608580af655716239396f3630c3922f3aecb40736a6588461f8a710ba25cd9802b94d3254c64787579eca7a50c829780c99a5bd2a795be1b6d9c773618f481488731370abb18afac21e3d1600481aa5100bff24840e9758cb6e15b2352080317aa808292debfb7deed889793f2acec662631606e5a03063fb70d23bfccfa19045047e40acb30d06e72f1c6da3e1a52c32119effccb0ba6fe0c44967d5da15d17d3284105ce732cb1fa9968442669f8766b7ddc7559e4f0341b03f310041b7484f284c7293c92f0fd8fdd64fd7891884ed73418bece3195e45bf6b4ef131bcd2a0bdaace71fe6f390d26b43962f8d83ce02ee647d2c63ab0e34cbd7b8c8ca17d7a86f816588c4c3f458adb44a03a9df02a33b81566f2795e7ddf4e2109b35e26757e8afe857f2167eb1ffaf8daa14857ccc8d5589159bb145a5758380db71fb26736bd777b00e4cae913eb686ad7a4c4942b22f0d98502c0b301ded6f82a2d27f7ebc2477f431e61d60d10d4939071e1c4ff4a8d225b7f07c5a56ca639b3aea12a126492ec808c0b37ad1e78db5e068e81a309d78084bc27ae8c7c44a85218c8f3809d83d78fdb1bd4c222e9d65603707129ca260e8dfbb6377049fb18e0ec4e53ec87e8c8c3b505c7814ca497dcbb2c6643b1ca6f9ead6c4f58ef769e54e72348b42e9ddeefb7eb715a065ab7670eb484f28ba7b5852c862c59849a5633fa1c1e310a09ba334ed82dfd5ad812f3269a50cb8459a8ed47e2742a5cc16e09bba4de427739fe2f1c0f1fa52c9216b24f689615016c1909d67c1515d26396133cb4a3d4296c3d19621bc2314a03924e64a8389cc09ec697cee31a132c65a359d66accec3619454ae73cf922370e9a8b5a6714acf3f9edd7c77f597d1ecaf96029739b11329e546ae3d6a58f20bd6f632bba3acfcf8e0c486243e4fe20800723728f029514b4880b7f7e46eba37c8cc2f828d4f3a521916fe8a689ea75580957887d197a52f7110a0be98ec1e98925e7a64fb26af36c89f927b17599bd4974386d0030e4835d7d7da4959c6cc6935743801a34e7b4fb4e995e98b0bbc1db34cd398be60803e78fe7514c30c3dec601f6ba61d3fbf960a8093690886d2e5b19c93b76c29d3e1823d8fd1fdf4a7a344b868ea9181fce631c188e62cf8af31dc4d384ef2641e3726b8842e3a2ca4f355b6e4f1de38a1bfb3277ca46687facd69033cbdf2f31b2192b13d7136df557cda04149009d85029d0cbfa9641b474440c1f8b1cfe69eaa79790e3eb39f5375f86b41b8f63b716ac3f8107f3d2efdc82d748e1692f0f8474a8ff0124b56d0668a58ace706ba2485ed398bcb327f24c29ca7baeaef14963a2465b0d0beb39abe08e97a384c7d640775539111d08ffb68233cd488d16116fde0ed15045e5e941298a77ac7eea439bb03e139a5532218b06ee5700c749ad16b8c8a2ab4335ad2a49831373eaab4b02e12758a9e89bc7abff6a6ee450e4e5ae4c2235d0efe11d411c638d5f5a1b97467adb6d1444c78cfc1188832a9d65e46bdad52d303ffbcd5e4ab85d28708e2b2e998f8970f6f3d2665a669568b6e4eed94d62f814ff743c257bec9b6ce1caab38b5b0673f54b3ecab7c6d65be5284314be00cc28cec80947d95af3106148e4e80ac4824f8b54c872b60c0ca8f65cca65dda7dd5a2b426e78015a7cd9374f2eb1970ee25dd32d5e83350ae32e16b4f3f13dca3821c7c555b7", @typed={0x14, 0x3f, @ipv6=@ipv4={[], [], @rand_addr=0xe4}}]}, @nested={0x23c, 0x1d, [@generic="afb8d787688ec3a031a509284f58e85d7e151abb1a0ac983b8ee440f60b8eb3fc5953d31de99e0673ff3fcfc72d03e1dcf2badefbab5572407a8401c80742c4aa603e4de4d3df77841c76dbb4b0f8497cf1e86fea5d626863cd1e52b5a66e1", @generic="185c084cdebe13410c46b16bb3ba7db11879be5e6e11e59a788049e33f331bed669c23b75f69474d3cdf6611d765721d7188042c91bae8cbaf330493d596b8fe034c6405fd471178da185a8a9e52fd659e2e77008889c85a764dc5322d1f17a8127a", @generic="e6e6610f1fa7a193c11b4f918e48b86681e1cbc321ba714122b650d64b2d2fb439f68e4a8ae286e30c99f8f555d9d1099c468109373ae0cf7eb2cad1f921092a45c973fb6b607496b428dc2d669dfb7fbce87b34f93b9baeb9c4096dc6a321c4ed09a628cfdb93381001613cf81bceae77a26458adcd3184d8dcd81527280633bc2c7dfbd12d510428b2ca3fb8661e9f0e7522b483c0a96d18aa67c500c5937a604240b31fd0ae88f969ad4889697ce7b0299fcc36fae5c6865f15e350b769131f40f70f031ed2a0baf2129455e23106ba4e097199ee6423ac", @typed={0x9c, 0x8f, @binary="828077500ca557d18735f63b634404becbae1c5a467437a9eb70b580e23a7260530d5c35705484be116806ca14c67abc90916e9fe45619d918485c64621a0c3cd2361705af0cda7c2731315672c9f8f65b7259aa902ae6f4eb05b621b6f1a70b0458c38fa94235bed77af07dd48f2270515697a2e30fb58358069eed293153f65e92cd68f932efceed9cdd5814b62bd4df4a97a0e8f0"}]}]}, 0x23b4}, 0x1, 0x0, 0x0, 0xc0}, 0x4000)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
ioctl$sock_kcm_SIOCKCMCLONE(r3, 0x89e2, &(0x7f0000002640)={r0})
fcntl$F_GET_RW_HINT(r1, 0x40b, &(0x7f0000000100))

17:34:28 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x5000000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  461.198503][T31141] binder_transaction: 1 callbacks suppressed
[  461.198555][T31141] binder: 31132:31141 transaction failed 29189/-3, size 24-8 line 3147
[  461.212257][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  461.231515][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:28 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x115002, 0x0)
ioctl$SNDRV_CTL_IOCTL_ELEM_READ(r1, 0xc4c85512, &(0x7f0000000080)={{0x0, 0x7, 0xb, 0x6151, 'syz1\x00', 0xf804}, 0x0, [0x80, 0xffffffffffff0001, 0x80000001, 0x125, 0x1, 0x8, 0x3f, 0x1, 0x78, 0x6, 0x1, 0x0, 0x10000, 0x5, 0x0, 0x6, 0x3, 0x9, 0x1f, 0x744, 0x3, 0xfff, 0x1000, 0x1, 0x8000, 0x3, 0x65f000000000, 0xfffffffffffffff7, 0xffffffffffffffe0, 0x7fffffff, 0x6, 0x1, 0x7, 0xfff, 0x4, 0x4, 0x7fff, 0xffff, 0x101, 0x9, 0x800, 0x3, 0x0, 0x80000001, 0x81, 0x1, 0x7a70, 0x0, 0x7, 0x0, 0x3, 0xfffffffffffffffa, 0x1, 0x4, 0x5, 0x6, 0x8, 0xffffffff, 0x9, 0x7fff, 0x7, 0xfffffffffffffff9, 0x401, 0x42, 0x6, 0xd90b, 0x0, 0x8, 0x9, 0x9, 0x1000, 0x6, 0xffffffff, 0x2, 0xfffffffffffffff8, 0xe065, 0xcea8, 0x2, 0x800, 0x0, 0xffffffff, 0x9, 0x20, 0x846, 0x100, 0xb9c3, 0x4, 0x8, 0x5ff, 0x0, 0xffff, 0x5, 0x4, 0x40, 0x400, 0x7, 0x2, 0x7ff, 0x4, 0x100000, 0x0, 0x8, 0x100000001, 0x4, 0x2, 0x18ba, 0x1, 0x5, 0x5, 0x8, 0x8, 0x10020000, 0x1f, 0x3, 0x4, 0x6, 0x7, 0x2, 0x7, 0x9, 0x4, 0x4, 0x200, 0x0, 0x1f, 0x200, 0x80000000, 0x7], {0x0, 0x1c9c380}})
ioctl$sock_inet_SIOCGARP(r0, 0x8954, &(0x7f0000000580)={{0x2, 0x4e24, @local}, {0x6, @dev={[], 0x18}}, 0x20, {0x2, 0x4e21, @broadcast}, 'team0\x00'})
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

17:34:28 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x7a000000, 0x0, 0x0})

[  461.307638][ T7838] binder: send failed reply for transaction 1374, target dead
17:34:28 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  461.403390][T31408] binder: 31402:31408 ioctl c0306201 200001c0 returned -14
[  461.419394][T31461] binder_alloc: binder_alloc_mmap_handler: 31402 20001000-20004000 already mapped failed -16
[  461.453731][T31408] binder: BINDER_SET_CONTEXT_MGR already set
[  461.489358][T31408] binder: 31402:31408 ioctl 40046207 0 returned -16
17:34:28 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = syz_open_dev$media(&(0x7f0000000080)='/dev/media#\x00', 0x6, 0x0)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000280)={<r3=>0xffffffffffffffff, 0xffffffffffffff9c, 0x0, 0x1, &(0x7f0000000240)='\x00'}, 0x30)
getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffff9c, 0x29, 0x22, &(0x7f00000002c0)={{{@in=@empty, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0}}, {{@in6=@loopback}, 0x0, @in=@multicast2}}, &(0x7f00000003c0)=0xe8)
r5 = getegid()
r6 = getpgid(0xffffffffffffffff)
lstat(&(0x7f0000000400)='./file0\x00', &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, <r7=>0x0})
fstat(r1, &(0x7f00000004c0)={0x0, 0x0, 0x0, 0x0, 0x0, <r8=>0x0})
ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f0000000540)=<r9=>0x0)
getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000580)={{{@in6=@dev, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r10=>0x0}}, {{@in6=@mcast1}, 0x0, @in6}}, &(0x7f0000000680)=0xe8)
lstat(&(0x7f00000006c0)='./file0\x00', &(0x7f0000000700)={0x0, 0x0, 0x0, 0x0, 0x0, <r11=>0x0})
sendmsg$unix(r2, &(0x7f0000000880)={&(0x7f00000000c0)=@file={0x1, './file0\x00'}, 0x6e, &(0x7f0000000200)=[{&(0x7f0000000140)="3f07390296b10c059d060f8e1ac7801490774b1d47bdd7f0e292d9aa4881bbc5bca972fcf2cafd37fa1ca42d22d707c1dce758094a07702e8f82d5f9768611057d1acf15c4255022a9ce2491c8d4ebe09df19c688b41eb5a352065335b14b79cf6a2460457738a621d75ee1e4ae6bb6fd6caed9c680bddc98b372f9d8442d20fb6fdf7fd8d90842263063eab7e4c1d58c98bf0aec1ea4739333fc9", 0x9b}], 0x1, &(0x7f0000000780)=[@rights={0x20, 0x1, 0x1, [r0, r0, r0, r0]}, @cred={0x20, 0x1, 0x2, r3, r4, r5}, @rights={0x18, 0x1, 0x1, [r1]}, @rights={0x30, 0x1, 0x1, [r1, r0, r1, r0, r1, r0, r0, r1]}, @cred={0x20, 0x1, 0x2, r6, r7, r8}, @cred={0x20, 0x1, 0x2, r9, r10, r11}, @rights={0x20, 0x1, 0x1, [r0, r1, r1]}, @rights={0x18, 0x1, 0x1, [r1, r0]}], 0x100, 0x10}, 0x4000000)

17:34:28 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = semget$private(0x0, 0x0, 0x0)
semtimedop(r1, &(0x7f0000000000)=[{0x3}, {0x1, 0x3, 0x800}], 0x2, &(0x7f0000000080))
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
semget$private(0x0, 0x7, 0x0)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

[  461.517763][ T7838] binder: release 31402:31408 transaction 1380 out, still active
[  461.529143][T31461] binder_alloc: 31402: binder_alloc_buf, no vma
[  461.554388][ T7838] binder: unexpected work type, 4, not freed
[  461.586166][T31461] binder: 31402:31461 transaction failed 29189/-3, size 24-8 line 3147
[  461.610026][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  461.616001][ T7838] binder: send failed reply for transaction 1380, target dead
17:34:28 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0xfdfdffff, 0x0, 0x0})

[  461.637722][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:29 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xc000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:29 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  461.755394][T31761] binder: 31715:31761 ioctl c0306201 200001c0 returned -14
17:34:29 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
openat$vimc0(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/video0\x00', 0x2, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = syz_open_dev$sndpcmc(&(0x7f0000000080)='/dev/snd/pcmC#D#c\x00', 0x1a8, 0x408000)
write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x18, 0xfa00, {0x4, &(0x7f0000000100)={<r3=>0xffffffffffffffff}, 0x111, 0xf}}, 0x20)
write$RDMA_USER_CM_CMD_SET_OPTION(r2, &(0x7f0000000180)={0xe, 0x18, 0xfa00, @id_resuseaddr={&(0x7f00000000c0)=0x1, r3, 0x0, 0x1, 0x4}}, 0x20)
getsockopt$IP_VS_SO_GET_SERVICE(r0, 0x0, 0x483, &(0x7f0000000200), &(0x7f0000000280)=0x68)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:29 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$sock_inet_SIOCSIFNETMASK(r0, 0x891c, &(0x7f0000000000)={'gre0\x00', {0x2, 0x4e22, @multicast2}})
ioctl$RTC_AIE_OFF(r1, 0x80247009)
modify_ldt$write(0x1, &(0x7f0000000080)={0x2, 0x20000800, 0xffffffffffffffff, 0x3f, 0x2, 0x99, 0x72f, 0x1f, 0x10000, 0x6}, 0x10)

17:34:29 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  461.812863][T31783] binder_alloc: binder_alloc_mmap_handler: 31715 20001000-20004000 already mapped failed -16
[  461.889531][T31761] binder: BINDER_SET_CONTEXT_MGR already set
[  461.935637][T31761] binder: 31715:31761 ioctl 40046207 0 returned -16
[  461.960132][T31839] binder_alloc: 31715: binder_alloc_buf, no vma
[  461.999692][T31783] binder: 31715:31783 ioctl c0306201 200001c0 returned -14
17:34:29 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x9, &(0x7f0000000040)="0adc1f163c12e41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = syz_open_dev$mice(&(0x7f0000000080)='/dev/input/mice\x00', 0x0, 0x800)
r3 = getpgid(0xffffffffffffffff)
ioctl$SNDRV_CTL_IOCTL_ELEM_REPLACE(r2, 0xc1105518, &(0x7f0000000100)={{0xa, 0x6, 0x6, 0xbff2, '\x00', 0x6}, 0x2, 0x3, 0x5, r3, 0x4, 0x0, 'syz0\x00', &(0x7f00000000c0)=['.\x00', 'nodevsystemppp0\x00', '/dev/rtc\x00', ')\x00'], 0x1d, [], [0x7fffffff, 0xe16, 0x996, 0x8]})
ioctl$KVM_KVMCLOCK_CTRL(r2, 0xaead)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:29 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  462.045273][T31839] binder: 31715:31839 transaction failed 29189/-3, size 24-8 line 3147
[  462.060430][ T7838] binder: send failed reply for transaction 1386 to 31715:31761
[  462.100339][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  462.134234][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:29 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0xfffffdfd, 0x0, 0x0})

[  462.152832][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:29 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xf6ffffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  462.227289][T32123] binder: 32103:32123 ioctl c0306201 200001c0 returned -14
[  462.237469][T32164] binder_alloc: binder_alloc_mmap_handler: 32103 20001000-20004000 already mapped failed -16
[  462.249459][T32123] binder: BINDER_SET_CONTEXT_MGR already set
17:34:29 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  462.304425][T32123] binder: 32103:32123 ioctl 40046207 0 returned -16
[  462.318191][ T7838] binder: send failed reply for transaction 1393 to 32103:32123
17:34:29 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x100000000000000, 0x0, 0x0})

17:34:29 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xc000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  462.356785][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  462.377162][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:29 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x400000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:29 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x80000000000000, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  462.468533][T32227] binder: 32226:32227 ioctl c0306201 200001c0 returned -14
[  462.531692][T32288] binder_alloc: binder_alloc_mmap_handler: 32226 20001000-20004000 already mapped failed -16
[  462.576148][T32227] binder: BINDER_SET_CONTEXT_MGR already set
17:34:29 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x7002)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  462.629593][ T7838] binder: release 32226:32227 transaction 1398 out, still active
[  462.638373][T32227] binder: 32226:32227 ioctl 40046207 0 returned -16
[  462.653000][ T7838] binder: unexpected work type, 4, not freed
17:34:30 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfcfdffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  462.680041][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  462.688360][ T7838] binder: send failed reply for transaction 1398, target dead
17:34:30 executing program 1:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.events\x00', 0x0, 0x0)
bpf$BPF_PROG_QUERY(0x10, &(0x7f0000000100)={r0, 0x0, 0x1, 0x3, &(0x7f00000000c0)=[0x0, 0x0], 0x2}, 0x20)
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000140)=<r2=>0x0)
fcntl$lock(r0, 0x27, &(0x7f0000000280)={0x0, 0x4, 0xfffffffffffff28b, 0x8, r2})
prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1)
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$KDSIGACCEPT(r0, 0x4b4e, 0x1b)
poll(&(0x7f0000000000)=[{r3}], 0x1, 0x100000001)
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT(r0, 0x404c534a, &(0x7f0000000180)={0xcd8c, 0x80000000, 0x3})
ioctl$VIDIOC_TRY_DECODER_CMD(r0, 0xc0485661, &(0x7f0000000200)={0x7, 0x3, @start={0x5, 0x1}})

17:34:30 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x200000000000000, 0x0, 0x0})

17:34:30 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x27f3627f0000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:30 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
ioctl$FS_IOC_ENABLE_VERITY(r0, 0x6685)

[  462.842414][T32546] binder: 32518:32546 ioctl c0306201 200001c0 returned -14
[  462.876680][T32584] binder_alloc: binder_alloc_mmap_handler: 32518 20001000-20004000 already mapped failed -16
[  462.910560][T32546] binder: BINDER_SET_CONTEXT_MGR already set
[  462.923081][T32546] binder: 32518:32546 ioctl 40046207 0 returned -16
[  462.936136][T32584] binder_alloc: 32518: binder_alloc_buf, no vma
[  462.956126][ T7838] binder: release 32518:32546 transaction 1403 out, still active
[  462.965021][T32584] binder: 32518:32584 transaction failed 29189/-3, size 24-8 line 3147
[  462.978357][ T7838] binder: unexpected work type, 4, not freed
17:34:30 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x60ffffffffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:30 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000180)='/proc/capi/capi20\x00', 0x20080, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = syz_open_dev$sndpcmc(&(0x7f0000000080)='/dev/snd/pcmC#D#c\x00', 0x3, 0x280000)
ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, &(0x7f0000000100)={&(0x7f00000000c0)=[0x1, 0x0], 0x2, 0x2, 0xfffffffffffffff9, 0x10000, 0x2, 0x7f, {0x9, 0x2, 0x7, 0x0, 0x4, 0x80000000, 0x18, 0x7ff, 0x8001, 0x80000000, 0x0, 0x100000000, 0x7, 0x2, "a8c3265d5f1798f8c6b3152ae79dd32b3818c2bed91a5a6050644d6e73a0caee"}})

[  463.002363][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  463.023396][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:30 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x300000000000000, 0x0, 0x0})

[  463.089926][ T7838] binder: send failed reply for transaction 1403, target dead
17:34:30 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/qat_adf_ctl\x00', 0x40000, 0x0)
getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(0xffffffffffffff9c, 0x84, 0x73, &(0x7f0000000100)={<r3=>0x0, 0x100, 0x20, 0x10001, 0x7}, &(0x7f0000000140)=0x18)
getsockopt$inet_sctp_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000180)={r3, 0x6}, &(0x7f00000001c0)=0x8)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000000)=<r4=>0x0)
ptrace$getregs(0xc, r4, 0x2, &(0x7f0000000080)=""/45)

[  463.197575][  T333] binder: 300:333 ioctl c0306201 200001c0 returned -14
[  463.231795][  T375] binder_alloc: binder_alloc_mmap_handler: 300 20001000-20004000 already mapped failed -16
17:34:30 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x400000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  463.242310][    C0] net_ratelimit: 19 callbacks suppressed
[  463.242320][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  463.242381][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  463.261248][  T333] binder: BINDER_SET_CONTEXT_MGR already set
[  463.267551][  T333] binder: 300:333 ioctl 40046207 0 returned -16
[  463.275368][  T375] binder_alloc: 300: binder_alloc_buf, no vma
[  463.284383][  T375] binder: 300:375 transaction failed 29189/-3, size 24-8 line 3147
17:34:30 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  463.308665][ T7838] binder: release 300:333 transaction 1409 out, still active
17:34:30 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008b12, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  463.350828][ T7838] binder: unexpected work type, 4, not freed
17:34:30 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x400000000000000, 0x0, 0x0})

[  463.416536][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  463.453150][ T7838] binder: send failed reply for transaction 1409, target dead
17:34:30 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000100)={{{@in=@empty, @in=@local}}, {{@in=@dev}, 0x0, @in=@broadcast}}, &(0x7f0000000000)=0xe8)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
setsockopt(r0, 0x3, 0x62d, &(0x7f0000000080)="37d3838d2237f04d3aa27932dc3303d0b26b6adf418097098daee015567c0bff6360ba713e4916c3fc85949c0d4f8f92e12a443623aaf0308b24741f533daf4d075d24738d612571bbcf187be3ddef403d626da88aca7befbb21169f229892aef31fe70c445eb9cf", 0x68)

17:34:30 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x740000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  463.552506][  T564] binder: 556:564 ioctl c0306201 200001c0 returned -14
17:34:30 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$sock_SIOCOUTQ(r0, 0x5411, &(0x7f0000000080))
r1 = openat$pfkey(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/self/net/pfkey\x00', 0x101000, 0x0)
ioctl$SNDRV_SEQ_IOCTL_SET_PORT_INFO(r1, 0x40a85323, &(0x7f0000000100)={{0x101, 0x4}, 'port1\x00', 0x40, 0x100010, 0x2, 0x17, 0x7fff, 0x7, 0xfffffffffffffffe, 0x0, 0x7, 0x401})
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

[  463.627021][  T607] binder_alloc: binder_alloc_mmap_handler: 556 20001000-20004000 already mapped failed -16
[  463.682850][  T564] binder: BINDER_SET_CONTEXT_MGR already set
[  463.698399][  T564] binder: 556:564 ioctl 40046207 0 returned -16
[  463.723415][  T690] binder_alloc: 556: binder_alloc_buf, no vma
[  463.746542][  T690] binder: 556:690 transaction failed 29189/-3, size 24-8 line 3147
17:34:31 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x60ffffffffff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:31 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffefffffff7f0000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  463.771661][  T564] binder: 556:564 ioctl c0306201 200001c0 returned -14
[  463.815881][ T7838] binder: release 556:564 transaction 1415 out, still active
[  463.837788][ T7838] binder: unexpected work type, 4, not freed
17:34:31 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f00000000c0)={'nlmon0\x00', &(0x7f0000000000)=@ethtool_cmd={0x47, 0xfaa, 0xff, 0x99, 0x95, 0xffffffff, 0x97, 0xe000000000000000, 0x98f2, 0x1f, 0x820, 0x0, 0x6, 0x9, 0x6, 0x8, [0xfff, 0x6]}})
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0x80001, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:31 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x500000000000000, 0x0, 0x0})

[  463.874026][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  463.899242][ T7838] binder: send failed reply for transaction 1415, target dead
17:34:31 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0x400000, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
write$uinput_user_dev(r0, &(0x7f00000000c0)={'syz0\x00', {0x8001, 0x5, 0x101, 0x2}, 0x9, [0x4, 0x4, 0x23620c5a, 0x4, 0x3, 0x63, 0x10001, 0x2, 0x80000001, 0x2, 0x8, 0xffffffffffff1467, 0x8001, 0x4, 0x3, 0x0, 0x400, 0x6, 0x0, 0x200, 0x4, 0xc1d7, 0x5, 0x5, 0x3, 0x8, 0x8, 0x4, 0xffffffffffffff7f, 0x3, 0x1, 0x8, 0x7f, 0x8, 0xfbab, 0x5, 0x3ff, 0x8001, 0x7, 0x10001, 0x2, 0x81, 0x7, 0x9, 0xe57, 0xffffffffffffffdc, 0xffffffffffffffc1, 0x1, 0xfffffffffffffffc, 0x0, 0x7, 0x4, 0x688, 0xfffffffffffff001, 0x40, 0x5, 0x0, 0x654, 0x0, 0x9, 0xfffffffffffff528, 0x4, 0x100], [0x67, 0x3, 0x10001, 0x100000000, 0x101, 0x7f, 0x5, 0x0, 0x200000, 0x6c4, 0x9, 0x8, 0x6, 0xa98, 0x6, 0x200, 0x100, 0x3, 0x0, 0x59, 0x0, 0x1, 0x7, 0x5, 0x5, 0x1, 0x100, 0x4, 0x2, 0x400, 0x5, 0xfffffffffffffff9, 0x9, 0x7f, 0xffffffff, 0x4, 0x873, 0x3f, 0x1f, 0x5, 0x401, 0x5, 0x401, 0x2, 0x5, 0x7fffffff, 0xffffffffffffffff, 0x1, 0x9, 0x1, 0x3f, 0x7f, 0x2, 0x69b, 0xfff, 0x1, 0x0, 0x0, 0x0, 0x80, 0x2, 0x8001, 0x8], [0x1, 0x9, 0x101, 0x7f, 0xf6f, 0xcd, 0x1, 0x2, 0x3f, 0x4, 0x5, 0xfffffffffffffffb, 0x9, 0x7, 0x8, 0x9, 0xc1, 0x9ef, 0x77b4, 0xfffffffffffff801, 0x8460, 0x3, 0x1, 0x0, 0x1, 0x3ff, 0x3, 0x7, 0x5, 0x53, 0x3ff, 0x5, 0x1000, 0x7fffffff, 0xf4, 0x8, 0x4, 0x2, 0x2, 0x2, 0x1, 0x4, 0xe1, 0xcc1121f, 0x6d70, 0x100, 0x10001, 0x8001, 0xfffffffffffffffb, 0x1000, 0x8000, 0x80000000, 0x0, 0x2, 0x1ff, 0x81, 0x7, 0x1, 0x84b, 0x2, 0xfffffffeffffffff, 0x5, 0xfffffffffffeffff, 0xddc], [0x7a, 0x2b, 0x2, 0x3, 0x369e13cc, 0x9, 0x5000000000000000, 0x6f, 0x3, 0x4, 0x7, 0x7, 0x80000001, 0x3ff, 0x31d, 0x5, 0x2, 0x2, 0x3, 0x0, 0x46d, 0x1, 0xbad, 0x2, 0x7, 0x8001, 0x4, 0x7f, 0x4, 0x5, 0x2, 0x0, 0x33, 0x8001, 0x0, 0x1000, 0x2, 0x2, 0x0, 0xfffffffffffffffe, 0x6, 0x20, 0x3, 0x7ff, 0xed9, 0x6, 0xa2, 0x100, 0x5, 0x3, 0x7, 0x2, 0xfffffffffffffffd, 0x9, 0x9, 0xa, 0x100000000, 0x1, 0x8ad8, 0x1ff, 0x8, 0xfffffffffffffff8, 0x7ff9, 0xfffffffffffffffd]}, 0x45c)

[  463.978729][  T858] binder: 855:858 ioctl c0306201 200001c0 returned -14
[  464.011461][  T867] binder_alloc: binder_alloc_mmap_handler: 855 20001000-20004000 already mapped failed -16
[  464.039812][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  464.039848][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  464.045602][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  464.070437][  T858] binder: BINDER_SET_CONTEXT_MGR already set
[  464.090828][  T858] binder: 855:858 ioctl 40046207 0 returned -16
[  464.097313][  T960] binder_alloc: 855: binder_alloc_buf, no vma
[  464.105618][  T960] binder: 855:960 transaction failed 29189/-3, size 24-8 line 3147
[  464.123100][  T858] binder: 855:858 ioctl c0306201 200001c0 returned -14
[  464.131483][ T7838] binder: release 855:858 transaction 1422 out, still active
17:34:31 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
setsockopt$sock_void(r0, 0x1, 0x3f, 0x0, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:31 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x600000000000000, 0x0, 0x0})

[  464.155600][ T7838] binder: unexpected work type, 4, not freed
[  464.180304][ T7838] binder: send failed reply for transaction 1422, target dead
17:34:31 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffffffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:31 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x740000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:31 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7f8fa3bc6000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  464.279799][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  464.285681][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  464.303713][ T1115] binder: 1090:1115 ioctl c0306201 200001c0 returned -14
17:34:31 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x117e, &(0x7f0000000080)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
fchdir(r0)

[  464.372694][ T1171] binder_alloc: binder_alloc_mmap_handler: 1090 20001000-20004000 already mapped failed -16
17:34:31 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
getresgid(&(0x7f0000000000), &(0x7f0000000080)=<r1=>0x0, &(0x7f00000000c0))
fstat(r0, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x0, <r2=>0x0})
setgroups(0x2, &(0x7f0000000180)=[r1, r2])
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
socketpair(0x1, 0x2, 0x9, &(0x7f00000001c0)={<r4=>0xffffffffffffffff})
sendmsg$can_bcm(r4, &(0x7f0000000300)={&(0x7f0000000200), 0x10, &(0x7f00000002c0)={&(0x7f0000000240)={0x7, 0x1, 0xffffffff, {0x77359400}, {}, {0x4, 0x1, 0xfcd8, 0x524}, 0x1, @canfd={{0x3, 0x1, 0x3f, 0x2}, 0x4, 0x1, 0x0, 0x0, "6a0c4546599e77bb1fda065b6c318d5747ecd1d3a4b040af44511863343539ed37d12852db95def56b00e310d5a94d4876d69206942469ecc31101d42d813ed1"}}, 0x80}, 0x1, 0x0, 0x0, 0x20000004}, 0x8000)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

[  464.425283][ T1115] binder: BINDER_SET_CONTEXT_MGR already set
[  464.451850][ T1115] binder: 1090:1115 ioctl 40046207 0 returned -16
[  464.478337][ T1204] binder_alloc: 1090: binder_alloc_buf, no vma
[  464.515005][ T1171] binder: 1090:1171 ioctl c0306201 200001c0 returned -14
17:34:31 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
syncfs(r0)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
fsetxattr$trusted_overlay_nlink(r0, &(0x7f00000014c0)='trusted.overlay.nlink\x00', &(0x7f0000001500)={'U-', 0x4}, 0x28, 0x2)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_ON(r1, 0x7001)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
preadv(r1, &(0x7f0000001440)=[{&(0x7f0000000080)=""/206, 0xce}, {&(0x7f0000000180)=""/4096, 0x1000}, {&(0x7f0000001180)=""/172, 0xac}, {&(0x7f0000001240)=""/233, 0xe9}, {&(0x7f0000001340)=""/29, 0x1d}, {&(0x7f0000001380)=""/181, 0xb5}], 0x6, 0x0)

17:34:31 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x700000000000000, 0x0, 0x0})

[  464.580769][ T1204] binder: 1090:1204 transaction failed 29189/-3, size 24-8 line 3147
[  464.589163][ T7838] binder: send failed reply for transaction 1429 to 1090:1115
17:34:32 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7f62f3270000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  464.679801][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  464.685646][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  464.698876][ T1412] binder: 1411:1412 ioctl c0306201 200001c0 returned -14
17:34:32 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffffffffff600000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:32 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7fffffffefff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  464.733867][ T1412] binder: BINDER_SET_CONTEXT_MGR already set
17:34:32 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x9000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  464.779493][ T1421] binder_alloc: 1411: binder_alloc_buf, no vma
[  464.839831][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  464.847540][ T7838] binder: release 1411:1412 transaction 1436 out, still active
[  464.856228][ T1412] binder: 1411:1412 ioctl 40046207 0 returned -16
[  464.890613][ T7838] binder: unexpected work type, 4, not freed
[  464.901184][ T1421] binder: 1411:1421 transaction failed 29189/-3, size 24-8 line 3147
[  464.920169][ T7838] binder_release_work: 4 callbacks suppressed
[  464.920175][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:32 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full\x00', 0x280, 0x0)
ioctl$DRM_IOCTL_GET_STATS(r1, 0x80f86406, &(0x7f00000000c0)=""/200)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x1)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
ioctl$RTC_IRQP_SET(r2, 0x4008700c, 0x17aa)

17:34:32 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0xa00000000000000, 0x0, 0x0})

[  464.983807][ T7838] binder: send failed reply for transaction 1436, target dead
17:34:32 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x2041, 0x0)
ioctl$BLKGETSIZE64(r1, 0x80081272, &(0x7f0000000080))
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
write$P9_RRENAMEAT(r1, &(0x7f00000000c0)={0x7, 0x4b, 0x1}, 0x7)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)
ioctl$DRM_IOCTL_AGP_ALLOC(r0, 0xc0206434, &(0x7f0000000100)={0x200, <r3=>0x0, 0x1})
ioctl$DRM_IOCTL_AGP_FREE(r1, 0x40206435, &(0x7f0000000140)={0x0, r3, 0x1, 0x40})

17:34:32 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x7fffffffefff)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  465.128091][ T1669] binder: 1660:1669 ioctl c0306201 200001c0 returned -14
[  465.165638][ T1669] binder: BINDER_SET_CONTEXT_MGR already set
17:34:32 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
getsockopt$sock_cred(0xffffffffffffff9c, 0x1, 0x11, &(0x7f0000000000)={0x0, 0x0, <r2=>0x0}, &(0x7f0000000040)=0xc)
setregid(r2, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  465.188097][ T1737] binder_alloc: 1660: binder_alloc_buf, no vma
[  465.216832][ T7838] binder: release 1660:1669 transaction 1442 out, still active
[  465.230204][ T1669] binder: 1660:1669 ioctl 40046207 0 returned -16
[  465.236762][ T7838] binder: unexpected work type, 4, not freed
17:34:32 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x940000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:32 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000080)='/proc/capi/capi20\x00', 0x294c02, 0x0)
ioctl$TCSETS(r1, 0x5402, &(0x7f00000000c0)={0xf1, 0x7, 0x7, 0x5, 0x11, 0x1000, 0x0, 0x7f, 0x5, 0x8, 0x7})
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

[  465.260440][ T1737] binder: 1660:1737 transaction failed 29189/-3, size 24-8 line 3147
[  465.268718][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  465.305769][ T7838] binder: send failed reply for transaction 1442, target dead
17:34:32 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = syz_open_dev$dmmidi(&(0x7f0000000080)='/dev/dmmidi#\x00', 0x4, 0x200102)
getsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(0xffffffffffffff9c, 0x84, 0x22, &(0x7f00000000c0)={0x5, 0x8004, 0x8000, 0x1, <r2=>0x0}, &(0x7f0000000100)=0x10)
getsockopt$inet_sctp6_SCTP_ASSOCINFO(r1, 0x84, 0x1, &(0x7f0000000140)={r2, 0xee6, 0x80, 0x3, 0x6b3e19c9, 0x401}, &(0x7f0000000200)=0x14)
getresgid(&(0x7f0000000000)=<r3=>0x0, &(0x7f00000001c0), &(0x7f0000000180))
setgid(r3)
prctl$PR_GET_SPECULATION_CTRL(0x34, 0x0, 0x2)
socket$inet6_udplite(0xa, 0x2, 0x88)
r4 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r4, 0x80247009)

17:34:32 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x2000000000000000, 0x0, 0x0})

[  465.453912][ T1900] binder: 1895:1900 ioctl c0306201 200001c0 returned -14
[  465.482119][ T1900] binder: BINDER_SET_CONTEXT_MGR already set
[  465.498588][ T7838] binder: release 1895:1900 transaction 1448 out, still active
[  465.508063][ T1900] binder: 1895:1900 ioctl 40046207 0 returned -16
[  465.520279][ T7838] binder: unexpected work type, 4, not freed
17:34:32 executing program 1:
r0 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ubi_ctrl\x00', 0x400, 0x0)
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
write$USERIO_CMD_SET_PORT_TYPE(r0, &(0x7f0000000140)={0x1, 0x7}, 0x2)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio\x00', 0x40, 0x0)
openat$cgroup_type(r2, &(0x7f00000000c0)='cgroup.type\x00', 0x2, 0x0)

17:34:32 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x3f00000000000000, 0x0, 0x0})

[  465.544919][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  465.563067][ T7838] binder_release_work: 5 callbacks suppressed
[  465.563075][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:32 executing program 4:
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x40, 0x0)
socket$inet_udplite(0x2, 0x2, 0x88)
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

[  465.618156][ T7838] binder: send failed reply for transaction 1448, target dead
17:34:33 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x940000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  465.686422][ T2113] binder: 2095:2113 ioctl c0306201 200001c0 returned -14
17:34:33 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
r3 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0xef, 0x281)
ioctl$DRM_IOCTL_AGP_INFO(r3, 0x80386433, &(0x7f00000000c0)=""/244)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  465.761068][ T2113] binder: BINDER_SET_CONTEXT_MGR already set
17:34:33 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  465.807118][ T7838] binder: release 2095:2113 transaction 1454 out, still active
[  465.816417][ T2113] binder: 2095:2113 ioctl 40046207 0 returned -16
[  465.824996][ T7838] binder: unexpected work type, 4, not freed
17:34:33 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = fcntl$dupfd(r0, 0x0, r0)
setsockopt$inet_sctp_SCTP_EVENTS(r1, 0x84, 0xb, &(0x7f0000000080)={0x1000, 0x3, 0x89, 0x800000, 0x1, 0x20, 0xe0, 0x400, 0x2, 0x8000, 0x4000000000000000}, 0xb)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
write$FUSE_DIRENT(r1, &(0x7f00000000c0)={0x108, 0xfffffffffffffffe, 0x2, [{0x5, 0x2, 0x9, 0x8, '/dev/rtc\x00'}, {0x6, 0x63, 0x10, 0x4, 'posix_acl_access'}, {0x3, 0x1ff, 0x4, 0x2, 'em0*'}, {0x4, 0x3, 0x9, 0x4, '/dev/rtc\x00'}, {0x3, 0x101, 0x1b, 0x3, '/`(}lo\'(}vboxnet1mime_type!'}, {0x0, 0x4da0, 0x9, 0x7fffffff, '/dev/rtc\x00'}]}, 0x108)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

[  465.849295][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:33 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000100)='/dev/zero\x00', 0x800, 0x0)
ioctl$IOC_PR_RESERVE(r1, 0x401070c9, &(0x7f0000000140)={0x8001, 0x7})
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/rtc\x00', 0x101000, 0x0)
readahead(r0, 0x7fff, 0x4)
socket$inet_tcp(0x2, 0x1, 0x0)
r3 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/am_droprate\x00', 0x2, 0x0)
setsockopt$inet6_MRT6_ADD_MFC(r3, 0x29, 0xcc, &(0x7f0000000080)={{0xa, 0x4e21, 0x20c, @dev={0xfe, 0x80, [], 0xf}, 0x1f}, {0xa, 0x4e20, 0x7, @remote, 0x5}, 0x9, [0x3, 0xc1, 0x400, 0xde02, 0x80000000, 0x7fffffff, 0xb55f, 0x757]}, 0x5c)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

17:34:33 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x4800000000000000, 0x0, 0x0})

[  465.899925][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  465.938628][ T7838] binder: send failed reply for transaction 1454, target dead
[  466.014914][ T2364] binder: 2357:2364 ioctl c0306201 200001c0 returned -14
[  466.057399][ T2364] binder: BINDER_SET_CONTEXT_MGR already set
[  466.082909][ T7838] binder: release 2357:2364 transaction 1460 out, still active
[  466.092673][ T2364] binder: 2357:2364 ioctl 40046207 0 returned -16
[  466.102701][ T7838] binder: unexpected work type, 4, not freed
[  466.123810][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:33 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:33 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1f, &(0x7f00000000c0)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:33 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ubi_ctrl\x00', 0x0, 0x0)
getsockopt$inet6_buf(r2, 0x29, 0x22, &(0x7f0000000080)=""/212, &(0x7f0000000180)=0xd4)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:33 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x4c00000000000000, 0x0, 0x0})

[  466.148087][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  466.184837][ T7838] binder: send failed reply for transaction 1460, target dead
17:34:33 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
ioctl$sock_FIOGETOWN(0xffffffffffffff9c, 0x8903, &(0x7f0000000000)=<r1=>0x0)
ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000040)=<r2=>0x0)
kcmp(r1, r2, 0x6, r0, r0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setregid(0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  466.289307][ T2578] binder: 2560:2578 ioctl c0306201 200001c0 returned -14
17:34:33 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x20000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  466.336384][ T2661] binder_alloc_mmap_handler: 5 callbacks suppressed
[  466.336402][ T2661] binder_alloc: binder_alloc_mmap_handler: 2560 20001000-20004000 already mapped failed -16
17:34:33 executing program 1:
prctl$PR_SET_SPECULATION_CTRL(0x35, 0x0)
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008910, &(0x7f0000000040)="0adc1f120012a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:33 executing program 4:
r0 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000002f00)='/dev/qat_adf_ctl\x00', 0x20801, 0x0)
r1 = syz_genetlink_get_family_id$nbd(&(0x7f0000002f80)='nbd\x00')
sendmsg$NBD_CMD_STATUS(r0, &(0x7f0000003040)={&(0x7f0000002f40)={0x10, 0x0, 0x0, 0xb8e85b203db38557}, 0xc, &(0x7f0000003000)={&(0x7f0000002fc0)={0x2c, r1, 0x700, 0x70bd27, 0x25dfdbff, {}, [@NBD_ATTR_BLOCK_SIZE_BYTES={0xc, 0x3, 0x3}, @NBD_ATTR_CLIENT_FLAGS={0xc}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4000}, 0x4000)
ioctl$RTC_AIE_OFF(r0, 0x7002)
r2 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r2, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
write$FUSE_INTERRUPT(r0, &(0x7f0000000000)={0x10, 0x0, 0x7}, 0x10)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

[  466.424296][ T2578] binder: BINDER_SET_CONTEXT_MGR already set
[  466.457504][ T2578] binder: 2560:2578 ioctl 40046207 0 returned -16
[  466.482889][ T2774] binder_alloc_new_buf_locked: 3 callbacks suppressed
[  466.482897][ T2774] binder_alloc: 2560: binder_alloc_buf, no vma
[  466.507479][ T2774] binder_transaction: 3 callbacks suppressed
[  466.507498][ T2774] binder: 2560:2774 transaction failed 29189/-3, size 24-8 line 3147
[  466.543299][ T2578] binder: 2560:2578 ioctl c0306201 200001c0 returned -14
[  466.545953][ T2781] QAT: Invalid ioctl
[  466.553325][ T7838] binder: unexpected work type, 4, not freed
[  466.572284][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:33 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x6000000000000000, 0x0, 0x0})

17:34:33 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = syz_open_dev$sndpcmc(&(0x7f00000002c0)='/dev/snd/pcmC#D#c\x00', 0x8001, 0x16080)
getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(0xffffffffffffff9c, 0x84, 0x6, &(0x7f0000000300)={<r3=>0x0, @in6={{0xa, 0x4e20, 0x6e9, @loopback, 0x7f}}}, &(0x7f00000003c0)=0x84)
setsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r2, 0x84, 0x18, &(0x7f0000000400)={r3, 0x3}, 0x8)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000280)={&(0x7f0000000080)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x78, 0x90, 0x7, {"4fca0ef010924a4a2a5889e0a919aeea0e446fd0abbc67dcc83862062736794ade217f1fe17fed27b72293779db1e9960ece7b7cf64c24c789f99a2ccd85f7e4e250867ecae5c592a7504507525053685bd032d07a2407f0cedb30e0eab0c83d12c6247c01ed436e8ffddca227d74752972117ad8e"}}, {0x0, "9b238a3d5a188118a35e6322d202b72a7c77c7479f1f76e778fe0aeee174e4e6422d5bffe4b107188f0796143920210f894af604088bde9dee710c9d2d40ad9b5590d80be8e4fc6eb4a38c95451520c3c7217adad7610aec7867c632fa5672bbad1d781e85b34ce9e2e5430af7a4f5c8bcb54484d99a05431083d53c556e420007ea255c23ca124186967d6a5468c39357320b42e8ae2d367398797c6679d8b8073d29682c3a392454c6f98d88cde836432549c8dcf8c16e92eb18"}}, &(0x7f0000000200)=""/124, 0x14d, 0x7c}, 0x20)

[  466.595696][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  466.626080][ T7838] binder: send failed reply for transaction 1466, target dead
17:34:34 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x2000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:34 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$vcsa(&(0x7f0000000000)='/dev/vcsa#\x00', 0xffffffff, 0x40080)
getsockopt$inet_sctp6_SCTP_NODELAY(r1, 0x84, 0x3, &(0x7f0000000040), &(0x7f00000000c0)=0x4)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  466.688430][ T2916] binder: 2911:2916 ioctl c0306201 200001c0 returned -14
17:34:34 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x20d50100000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  466.753106][ T2977] binder_alloc: binder_alloc_mmap_handler: 2911 20001000-20004000 already mapped failed -16
17:34:34 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000080)="0adc000400000000000070e6271beba10186c68fc4641819e9328c5ff6926cfb14ba0a2ab10852fac77652f7c4475ee8aeacac82ca8cf504da99ed65107c607e5517b8bb9b43dca9cedfe44324a7ee09c14cfaa6274a4e4a17ae070dec8f53afdb689ad92d20c01f03d7dcae3d84a1e6dbe5cabc8cceae298a5bc6507080878c4032166cf7138e24ebca02d3c8467e72d8c4400fae6a664aba0a78c0caa6ce547cad0e22e50f36d3e04a64db75777f0a85363dc455c6f737eab3f9b1f1a9e4c579bca59fbe7c07000000be18d33a7e1decf9aeff516b26328cf9476d520e68c49602ba960c528f84385d04b7")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  466.821014][ T2916] binder: BINDER_SET_CONTEXT_MGR already set
[  466.851318][ T2916] binder: 2911:2916 ioctl 40046207 0 returned -16
17:34:34 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
pipe(&(0x7f00000000c0)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
accept4$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000140)=0x14, 0x80800)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
finit_module(r0, &(0x7f0000000080)='md5sum##\x00', 0x1)

[  466.910289][ T7838] binder: unexpected work type, 4, not freed
[  466.916604][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  466.946784][ T7838] binder: send failed reply for transaction 1473, target dead
17:34:34 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x6800000000000000, 0x0, 0x0})

17:34:34 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
r0 = syz_open_dev$vcsa(&(0x7f0000000000)='/dev/vcsa#\x00', 0x7, 0x634403)
write$P9_RLOCK(r0, &(0x7f0000000040)={0x8, 0x35, 0x1, 0x3}, 0x8)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r1 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
ioctl$PPPIOCATTACH(r1, 0x4004743d, &(0x7f00000000c0))
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  467.100729][ T3288] binder: 3284:3288 ioctl c0306201 200001c0 returned -14
17:34:34 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f0000000000)=<r2=>0x0)
ioctl$sock_FIOSETOWN(r0, 0x8901, &(0x7f0000000080)=r2)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  467.144957][ T3343] binder_alloc: binder_alloc_mmap_handler: 3284 20001000-20004000 already mapped failed -16
[  467.165449][ T3288] binder: BINDER_SET_CONTEXT_MGR already set
17:34:34 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x30710000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:34 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0x9, 0x41)
clock_gettime(0x0, &(0x7f0000000100)={<r2=>0x0, <r3=>0x0})
utimensat(r1, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000140)={{r2, r3/1000+10000}, {0x0, 0x2710}}, 0x100)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r4 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r4}], 0x1, 0x100000001)

[  467.223261][ T3343] binder_alloc: 3284: binder_alloc_buf, no vma
[  467.255164][ T3288] binder: 3284:3288 ioctl 40046207 0 returned -16
[  467.297031][ T7838] binder: unexpected work type, 4, not freed
[  467.304173][ T3343] binder: 3284:3343 transaction failed 29189/-3, size 24-8 line 3147
[  467.312926][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:34 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x20000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:34 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x80, 0x0)
ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000080)={0x5})

[  467.341631][ T7838] binder: send failed reply for transaction 1478, target dead
17:34:34 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x6c00000000000000, 0x0, 0x0})

[  467.400682][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:34 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$sock_inet_SIOCSIFNETMASK(r0, 0x891c, &(0x7f0000000080)={'ip_vti0\x00', {0x2, 0x4e21, @local}})
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
socket$bt_bnep(0x1f, 0x3, 0x4)

17:34:34 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = syz_open_dev$media(&(0x7f0000000000)='/dev/media#\x00', 0x6, 0x2000)
fcntl$setlease(r0, 0x400, 0x3)
ioctl$KVM_DEASSIGN_DEV_IRQ(r3, 0x4040ae75, &(0x7f0000000100)={0x2, 0x9, 0x100000000, 0x200})
getsockname$inet6(r3, &(0x7f0000000040)={0xa, 0x0, 0x0, @initdev}, &(0x7f00000000c0)=0x1c)
setregid(0x0, 0x0)
getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r3, 0x84, 0x1c, &(0x7f0000000140), &(0x7f0000000180)=0x4)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  467.530648][ T3615] binder: 3578:3615 ioctl c0306201 200001c0 returned -14
[  467.567803][ T3675] binder_alloc: binder_alloc_mmap_handler: 3578 20001000-20004000 already mapped failed -16
17:34:34 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
lookup_dcookie(0x1, &(0x7f0000000080)=""/252, 0xfc)
ioctl(r0, 0x1000008913, &(0x7f0000000000)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  467.619403][ T3615] binder: BINDER_SET_CONTEXT_MGR already set
[  467.657244][ T3615] binder: 3578:3615 ioctl 40046207 0 returned -16
[  467.698234][ T3722] binder_alloc: 3578: binder_alloc_buf, no vma
17:34:35 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/rtc\x00', 0x400800000000000, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  467.746707][ T3722] binder: 3578:3722 transaction failed 29189/-3, size 24-8 line 3147
[  467.758508][ T7838] binder: send failed reply for transaction 1484 to 3578:3615
[  467.771871][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:35 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x40d70100000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:35 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x7400000000000000, 0x0, 0x0})

[  467.802504][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  467.836204][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:35 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x4bb, 0x200)
getsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f0000000080), &(0x7f00000000c0)=0x14)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

17:34:35 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x30710000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  467.943056][ T3986] binder: 3965:3986 ioctl c0306201 200001c0 returned -14
17:34:35 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = syz_open_dev$radio(&(0x7f0000000080)='/dev/radio#\x00', 0x3, 0x2)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x20000, 0x100)

[  467.998495][ T4050] binder_alloc: binder_alloc_mmap_handler: 3965 20001000-20004000 already mapped failed -16
[  468.064061][ T3986] binder: BINDER_SET_CONTEXT_MGR already set
[  468.094486][ T3986] binder: 3965:3986 ioctl 40046207 0 returned -16
17:34:35 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$mouse(&(0x7f0000000000)='/dev/input/mouse#\x00', 0x0, 0x2800)
ioctl$DRM_IOCTL_AGP_ALLOC(0xffffffffffffffff, 0xc0206434, &(0x7f0000000040)={0x8, <r2=>0x0, 0x10001, 0x1000})
ioctl$DRM_IOCTL_AGP_UNBIND(r1, 0x40106437, &(0x7f00000000c0)={r2, 0xffff})
r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  468.127522][ T4153] binder_alloc: 3965: binder_alloc_buf, no vma
[  468.160187][ T4153] binder: 3965:4153 transaction failed 29189/-3, size 24-8 line 3147
17:34:35 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x60bca38f7f0000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  468.191724][ T3986] binder: 3965:3986 ioctl c0306201 200001c0 returned -14
[  468.209043][ T7838] binder_thread_release: 3 callbacks suppressed
[  468.209054][ T7838] binder: release 3965:3986 transaction 1490 out, still active
17:34:35 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/audio\x00', 0x82, 0x0)
r2 = syz_genetlink_get_family_id$ipvs(&(0x7f00000000c0)='IPVS\x00')
sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000200)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x400010}, 0xc, &(0x7f00000001c0)={&(0x7f0000000100)={0x90, r2, 0x601, 0x70bd2a, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x40, 0x1, [@IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@rand_addr="1760a391a7b299192726285f547292b8"}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x22, 0xc}}, @IPVS_SVC_ATTR_TIMEOUT={0x8, 0x8, 0x1}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@initdev={0xfe, 0x88, [], 0x1, 0x0}}]}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x534}, @IPVS_CMD_ATTR_DAEMON={0x1c, 0x3, [@IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x1}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x3}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @local}]}, @IPVS_CMD_ATTR_SERVICE={0x10, 0x1, [@IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x8, 0x20}}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x100}]}, 0x90}, 0x1, 0x0, 0x0, 0x4000000}, 0x81)
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
socket$vsock_dgram(0x28, 0x2, 0x0)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

17:34:35 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = dup2(r0, r0)
write$P9_RLOPEN(r1, &(0x7f0000000080)={0x18, 0xd, 0x1, {{0x0, 0x4, 0x6}, 0x8}}, 0x18)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000100)='/dev/rtc\x00', 0xffffffffffff7ffd, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

17:34:35 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x7a00000000000000, 0x0, 0x0})

[  468.303380][ T7838] binder: unexpected work type, 4, not freed
[  468.328783][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  468.368884][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  468.388633][ T4269] binder: 4268:4269 ioctl c0306201 200001c0 returned -14
[  468.424122][ T4298] binder_alloc: binder_alloc_mmap_handler: 4268 20001000-20004000 already mapped failed -16
[  468.439809][    C1] net_ratelimit: 18 callbacks suppressed
[  468.439817][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  468.451371][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  468.454458][ T4269] binder: BINDER_SET_CONTEXT_MGR already set
[  468.466820][ T4269] binder: 4268:4269 ioctl 40046207 0 returned -16
[  468.474386][ T4384] binder_alloc: 4268: binder_alloc_buf, no vma
[  468.481483][ T4384] binder: 4268:4384 transaction failed 29189/-3, size 24-8 line 3147
[  468.491605][ T7838] binder: release 4268:4269 transaction 1497 out, still active
[  468.499533][ T4269] binder: 4268:4269 ioctl c0306201 200001c0 returned -14
[  468.509828][ T7838] binder: unexpected work type, 4, not freed
[  468.517686][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:35 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x601a0100000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:35 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0xfdfdffff00000000, 0x0, 0x0})

17:34:35 executing program 1:
clone(0x4100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = gettid()
futex(&(0x7f0000000140)=0x2, 0x0, 0x2, 0x0, 0x0, 0x0)
ptrace$setopts(0x4206, r0, 0x0, 0x0)
tkill(r0, 0x38)
ptrace$cont(0x4204, r0, 0x0, 0xfffffffffffff399)
r1 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$sndseq(&(0x7f0000000000)='/dev/snd/seq\x00', 0x0, 0x0)
r3 = dup2(r1, r2)
r4 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r4, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r5 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock\x00', 0x100, 0x0)
r6 = openat$snapshot(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/snapshot\x00', 0x432000, 0x0)
ioctl$KVM_IRQFD(r4, 0x4020ae76, &(0x7f0000000100)={r5, 0x2, 0x5, r6})
ioctl$BLKDISCARD(r3, 0x1277, &(0x7f00000003c0)=0x9)
r7 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$sock_inet_SIOCSIFBRDADDR(r4, 0x891a, &(0x7f00000001c0)={'hwsim0\x00', {0x2, 0x4e21, @remote}})
getsockopt$inet_sctp_SCTP_DELAYED_SACK(r5, 0x84, 0x10, &(0x7f0000000200)=@sack_info={<r8=>0x0, 0x8, 0x7}, &(0x7f0000000240)=0xc)
getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r5, 0x84, 0x6c, &(0x7f0000000280)={r8, 0xef, "d340f50188798d36dc008fe949afaba6c121beea59af093348641ccc8874f33406b1c5fb24fdc7682d4a42a6b61a40775c3b51ff696324ff87a83f77ae2912cad5328eabcbe663f2d75f915e0373267ca0ceeac6ca62f6f53fe6ed85d4733cf315bbd5bd556d55b7551eab496e1319f159cb2f4b07a53e975e2ff8a9d026dc593bea3bddc155973d099e28971891415242580b7a46327d8d1db294cf5bc89dd64f33ae9ed813ba4918675248ceac6ec9385565168e93efa99777ff0c59510d5e6577c1122dfe71f0ae7592069335e87adcbdfd98151bd16edc267b9e8266fd34310c98bc1d32595192b0a81d10ff84"}, &(0x7f0000000380)=0xf7)
poll(&(0x7f0000000000)=[{r7}], 0x1, 0x100000001)

17:34:35 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f00000001c0)="0adc8dff215dbb00000000b6f8125ba3596dd1d333e304f3c652cb17c8ed7e3b3a9dff6569d18ff42b2448624e404305cef3e207d094c63877960befaaec39eb")
r1 = syz_open_dev$vcsa(&(0x7f0000000000)='/dev/vcsa#\x00', 0x6, 0x1)
ioctl$KVM_SMI(r1, 0xaeb7)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x20040, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

17:34:35 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000040)={0xffffffffffffffff, r0, 0x0, 0x9, &(0x7f0000000000)='/dev/kvm\x00'}, 0x30)
getsockopt$sock_cred(0xffffffffffffff9c, 0x1, 0x11, &(0x7f00000000c0)={<r1=>0x0}, &(0x7f0000000100)=0xc)
getpriority(0x2, r1)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  468.717602][ T4487] binder: 4486:4487 ioctl c0306201 200001c0 returned -14
17:34:36 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80ffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  468.780042][ T4613] binder_alloc: binder_alloc_mmap_handler: 4486 20001000-20004000 already mapped failed -16
[  468.809433][ T4487] binder: BINDER_SET_CONTEXT_MGR already set
17:34:36 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = socket$tipc(0x1e, 0x5, 0x0)
r3 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-monitor\x00', 0x200, 0x0)
read$rfkill(r3, &(0x7f0000000100), 0x8)
setsockopt$TIPC_IMPORTANCE(r2, 0x10f, 0x7f, &(0x7f0000000080)=0x2, 0x4)
ioctl$TIOCMSET(r3, 0x5418, &(0x7f0000000140)=0x2)

[  468.839822][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  468.842670][ T4487] binder: 4486:4487 ioctl 40046207 0 returned -16
[  468.845657][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:36 executing program 4:
ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x0, 0x2)
r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r0, 0x80247009)

[  468.902485][ T4613] binder_alloc: 4486: binder_alloc_buf, no vma
[  468.931407][ T7838] binder: send failed reply for transaction 1504 to 4486:4487
[  468.940319][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  468.958995][ T4613] binder: 4486:4613 transaction failed 29189/-3, size 24-8 line 3147
17:34:36 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
setsockopt$inet_tcp_buf(r2, 0x6, 0xb, &(0x7f00000000c0)="da7a06d3308fcd20d02150b86044f5089025f6c49523e945e7e4be3107f0482f158af261d1a04e6e900ff0ddd8c4e35952e1b0860371b65474410ee468ef197955e176112d7d2f966430f784a31ba9f8dde1c4817e0dfdef5b6d67f0ba3e2b467d840098952967ee83eff814f41514edfd05bd96dd959ca23c23f5985d8574168c409627bd313721b6d890089e8fc5e880e54b19886f", 0x96)

[  468.999910][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  469.005896][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:36 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x2, 0x0})

17:34:36 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x801c0100000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:36 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
pipe2(&(0x7f0000000080)={<r2=>0xffffffffffffffff}, 0x80800)
io_setup(0x8, &(0x7f0000000100))
setsockopt$packet_int(r2, 0x107, 0x1f, &(0x7f00000000c0)=0x3, 0x4)

17:34:36 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
getsockopt$EBT_SO_GET_INIT_INFO(r0, 0x0, 0x82, &(0x7f0000000080)={'nat\x00'}, &(0x7f0000000000)=0x78)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  469.191197][ T4917] binder_alloc: binder_alloc_mmap_handler: 4914 20001000-20004000 already mapped failed -16
[  469.236713][ T4915] binder: BINDER_SET_CONTEXT_MGR already set
[  469.263441][ T4915] binder: 4914:4915 ioctl 40046207 0 returned -16
[  469.298949][ T7838] binder: release 4914:4915 transaction 1510 out, still active
[  469.309085][ T4917] binder_alloc: 4914: binder_alloc_buf, no vma
[  469.318390][ T7838] binder: unexpected work type, 4, not freed
17:34:36 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc\x00', 0x4001, 0x0)
syz_open_dev$rtc(&(0x7f0000000000)='/dev/rtc#\x00', 0x10001, 0x86000)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
fcntl$setlease(r1, 0x400, 0x1)

[  469.347303][ T4917] binder: 4914:4917 transaction failed 29189/-3, size 24-8 line 3147
[  469.358385][ T7838] binder_send_failed_reply: 2 callbacks suppressed
[  469.358392][ T7838] binder: send failed reply for transaction 1510, target dead
17:34:36 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x3, 0x0})

17:34:36 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa0700000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:36 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80ffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:36 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
getgroups(0xa, &(0x7f0000000000)=[0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xee00, 0xee01, 0xee00, 0xffffffffffffffff, 0xee01, 0xee01])
lstat(&(0x7f0000000040)='./file0\x00', &(0x7f00000000c0))
fstat(r0, &(0x7f0000000140)={0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0})
r4 = getegid()
setregid(r4, r3)
r5 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f00000001c0)='/proc/capi/capi20ncci\x00', 0x42000, 0x0)
ioctl$VIDIOC_QUERYMENU(r5, 0xc02c5625, &(0x7f0000000200)={0x100000001, 0xe48, @name="bd54b0aab1380b28f3bc8300ccb78e4e0278611361210079b82c8423f9a92206"})
r6 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r6, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  469.479851][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  469.485988][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:36 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000140)='/dev/rtc\x00', 0x2, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
write(r0, &(0x7f0000000080)="ea9afe1cf539a37f1ce5f2ba8e9aca038477", 0x12)
fcntl$getown(r0, 0x9)

[  469.553509][ T5190] binder_alloc: binder_alloc_mmap_handler: 5150 20001000-20004000 already mapped failed -16
[  469.567996][ T5162] binder: BINDER_SET_CONTEXT_MGR already set
[  469.581544][ T5162] binder: 5150:5162 ioctl 40046207 0 returned -16
[  469.640450][ T7838] binder: release 5150:5162 transaction 1516 out, still active
[  469.648085][ T7838] binder: unexpected work type, 4, not freed
[  469.655030][ T5190] binder_alloc: 5150: binder_alloc_buf, no vma
[  469.674195][ T5190] binder: 5150:5190 transaction failed 29189/-3, size 24-8 line 3147
17:34:37 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f00000010c0)='/dev/dlm_plock\x00', 0x0, 0x0)
ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc2c123ca647241eb083b225289acdf866c0591170")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r3 = syz_open_dev$sndpcmp(&(0x7f0000001080)='/dev/snd/pcmC#D#p\x00', 0xfffffffffffff98a, 0x301000)
getsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f0000001100)={{{@in6=@dev, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0}}, {{@in6=@local}, 0x0, @in6=@initdev}}, &(0x7f0000001200)=0xe8)
getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000001240)={0x0, 0x0, <r5=>0x0}, &(0x7f0000001280)=0xc)
fchown(r1, r4, r5)
pread64(r0, &(0x7f0000000080)=""/4096, 0x1000, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

[  469.686555][ T7838] binder: send failed reply for transaction 1516, target dead
17:34:37 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x4, 0x0})

17:34:37 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = syz_open_dev$media(&(0x7f0000000080)='/dev/media#\x00', 0x0, 0x800)
ioctl$DRM_IOCTL_GET_STATS(r2, 0x80f86406, &(0x7f00000000c0)=""/104)

[  469.863214][ T5407] binder_alloc: binder_alloc_mmap_handler: 5369 20001000-20004000 already mapped failed -16
17:34:37 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb0500000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:37 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0xffff, 0x200000)
ioctl$SNDRV_TIMER_IOCTL_PVERSION(r1, 0x80045400, &(0x7f0000000100))
ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000140)=<r2=>0x0)
mq_notify(r1, &(0x7f0000000180)={0x0, 0x8, 0x1, @tid=r2})
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r3, 0x80247009)
ioctl$EXT4_IOC_GROUP_ADD(r1, 0x40286608, &(0x7f00000001c0)={0x0, 0x9, 0x0, 0x5, 0x7, 0xfffffffffffffff9})
poll(&(0x7f0000000080)=[{r0, 0x404}, {r3, 0x8}, {r3, 0x4080}, {r0, 0x80}, {r3, 0x82}, {r3, 0x20}, {r0, 0x40}, {r3, 0x80}, {r0, 0x1015}, {r0, 0x400}], 0xa, 0x81)

[  469.913967][ T5393] binder: BINDER_SET_CONTEXT_MGR already set
[  469.946520][ T5393] binder: 5369:5393 ioctl 40046207 0 returned -16
[  469.997804][ T5505] binder_alloc: 5369: binder_alloc_buf, no vma
17:34:37 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x0, 0x0, 0x0, 0x3)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
getsockopt$inet_pktinfo(0xffffffffffffff9c, 0x0, 0x8, &(0x7f0000000000)={<r1=>0x0, @broadcast}, &(0x7f0000000040)=0xc)
ioctl$sock_inet6_SIOCSIFDSTADDR(r0, 0x8918, &(0x7f00000000c0)={@loopback, 0x28, r1})
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
socket$isdn_base(0x22, 0x3, 0x0)
mmap(&(0x7f00003c9000/0x1000)=nil, 0x1000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
r4 = syz_open_dev$dspn(&(0x7f0000000100)='/dev/dsp#\x00', 0x2, 0x500)
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r4, 0xc08c5335, &(0x7f0000000140)={0x7, 0x0, 0x20, 'queue0\x00'})
setregid(0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  470.040884][ T5505] binder: 5369:5505 transaction failed 29189/-3, size 24-8 line 3147
[  470.069091][ T7838] binder: release 5369:5393 transaction 1522 out, still active
17:34:37 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa0700000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  470.090569][ T7838] binder: unexpected work type, 4, not freed
[  470.126308][ T7838] binder_release_work: 4 callbacks suppressed
[  470.126315][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:37 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock\x00', 0x80003, 0x0)
ioctl$NBD_SET_TIMEOUT(r1, 0xab09, 0x100)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

17:34:37 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x5, 0x0})

[  470.174482][ T7838] binder: send failed reply for transaction 1522, target dead
[  470.259048][ T5692] Unknown ioctl 43785
[  470.278507][ T5693] binder: BINDER_SET_CONTEXT_MGR already set
[  470.279843][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  470.284658][    C0] protocol 88fb is buggy, dev hsr_slave_0
17:34:37 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = fcntl$dupfd(r1, 0x406, r0)
getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(0xffffffffffffff9c, 0x84, 0x72, &(0x7f0000000000)={<r3=>0x0, 0x0, 0x10}, &(0x7f00000000c0)=0xc)
setsockopt$inet_sctp_SCTP_RESET_ASSOC(r2, 0x84, 0x78, &(0x7f0000000100)=r3, 0x4)
fcntl$getownex(r1, 0x10, &(0x7f0000000140)={0x0, <r4=>0x0})
ioctl$sock_FIOSETOWN(r0, 0x8901, &(0x7f0000000080)=r4)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
setsockopt$inet6_tcp_buf(r2, 0x6, 0x1e, &(0x7f0000000180)="e6dee0e5b6a35bbb4248e25570d9278eb03e398c82e8c713dd2676d3d68b7caaaf4910563523e5315ad53916e5e28f160582788680d167fd5df989293d4c0cc1f17cca31283c7bfb11b8e56409c28b784fe37495cb80e1123cb4932094f26ac777efe24af9cf249d1be69cf94f8ea04c283bf72725f518702c63a071b5f490adee122fdf261672b4a2aa7978caeeb19ca17d2c7f34d467c77cc8db54f5a2483898158fa5cd4817a1a087727ac431307e9317d7141bd74c0e7863620768f91c897463bf27a3c53bf0bc17912aca3e5a83c0c0096b25155c69d15eb0179f271204ab2e223973026cc54dc4607ef8c3ef20ce3c", 0xf2)

[  470.374396][ T5693] binder: 5679:5693 ioctl 40046207 0 returned -16
[  470.382164][ T7838] binder: send failed reply for transaction 1529 to 5679:5693
[  470.389672][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:37 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x800)
write$P9_RMKDIR(r1, &(0x7f0000000140)={0x14, 0x49, 0x1, {0x20}}, 0x14)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000080)='/dev/snapshot\x00', 0x442, 0x0)
setsockopt$RXRPC_UPGRADEABLE_SERVICE(r2, 0x110, 0x5, &(0x7f00000000c0)=[0x0, 0x1], 0x2)
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$SCSI_IOCTL_SYNC(r2, 0x4)
poll(&(0x7f0000000000)=[{r3, 0x102}], 0x1, 0x5)

17:34:37 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x6, 0x0})

17:34:37 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x100000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:37 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x6)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:37 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb0500000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  470.565952][ T5900] binder: BINDER_SET_CONTEXT_MGR already set
[  470.621671][ T7838] binder: release 5885:5900 transaction 1534 out, still active
[  470.629448][ T5900] binder: 5885:5900 ioctl 40046207 0 returned -16
[  470.650788][ T7838] binder: unexpected work type, 4, not freed
17:34:38 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
r2 = socket$alg(0x26, 0x5, 0x0)
getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f0000000080)={{{@in6=@dev, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0}}, {{@in6=@mcast2}, 0x0, @in=@multicast1}}, &(0x7f0000000000)=0xe8)
r4 = getgid()
fchown(r2, r3, r4)

17:34:38 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x7, 0x0})

[  470.671632][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  470.705307][ T7838] binder: send failed reply for transaction 1534, target dead
17:34:38 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008914, &(0x7f0000000080)="0a08006cd3ba3805d8849803d903a894327968ce")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  470.833685][ T6060] binder: BINDER_SET_CONTEXT_MGR already set
[  470.854010][ T6073] binder_alloc: 6038: binder_alloc_buf, no vma
[  470.875784][ T6060] binder: 6038:6060 ioctl 40046207 0 returned -16
[  470.894796][ T7838] binder: release 6038:6060 transaction 1539 out, still active
[  470.904748][ T6073] binder: 6038:6073 transaction failed 29189/-3, size 24-8 line 3147
[  470.914287][ T7838] binder: unexpected work type, 4, not freed
[  470.930268][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  470.936189][ T7838] binder: send failed reply for transaction 1539, target dead
17:34:38 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
r2 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x3, 0x2)
getsockopt$bt_BT_CHANNEL_POLICY(r2, 0x112, 0xa, &(0x7f0000000080)=0x1000, &(0x7f00000000c0)=0x4)

17:34:38 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0xa, 0x0})

[  470.967981][ T7838] binder_release_work: 5 callbacks suppressed
[  470.967988][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:38 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
r2 = gettid()
r3 = syz_open_dev$mice(&(0x7f00000000c0)='/dev/input/mice\x00', 0x0, 0x101000)
ioctl$SNDRV_CTL_IOCTL_ELEM_ADD(r3, 0xc1105517, &(0x7f0000000140)={{0x6, 0x1, 0x4, 0xc7, 'syz1\x00', 0x2}, 0x6, 0x30000050, 0x4, r2, 0x1, 0x7a5, 'syz0\x00', &(0x7f0000000100)=['\x00'], 0x1, [], [0x8, 0x6, 0x1, 0x8]})
fcntl$setown(r0, 0x8, r2)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r5 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x200002, 0x0)
setsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r5, 0x84, 0x12, &(0x7f0000000040)=0x6, 0x4)
setregid(0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r6, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:38 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x100004000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:38 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ubi_ctrl\x00', 0x68001, 0x0)
ioctl$sock_bt_cmtp_CMTPGETCONNINFO(r2, 0x800443d3, &(0x7f00000000c0)={{0x7, 0xff, 0x4, 0xb5a, 0xffffffff, 0x3}, 0x0, 0xdc, 0x3ff})
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  471.082953][ T6241] binder: BINDER_SET_CONTEXT_MGR already set
17:34:38 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x100000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  471.134839][ T7838] binder: release 6240:6241 transaction 1545 out, still active
[  471.146398][ T6241] binder: 6240:6241 ioctl 40046207 0 returned -16
[  471.155556][ T7838] binder: unexpected work type, 4, not freed
17:34:38 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x48, 0x0})

[  471.191716][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  471.231525][ T7838] binder: send failed reply for transaction 1545, target dead
17:34:38 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f00000011c0)='/dev/rtc\x00', 0x5, 0x0)
r2 = creat(&(0x7f0000000000)='./file0\x00', 0x88)
ioctl$KVM_GET_CPUID2(r2, 0xc008ae91, &(0x7f0000000080)=ANY=[@ANYBLOB="040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"])
r3 = shmget(0x2, 0x3000, 0x800, &(0x7f0000ffc000/0x3000)=nil)
shmctl$SHM_STAT(r3, 0xd, &(0x7f00000001c0)=""/4096)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:38 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000100)='/dev/rtc\x00', 0x44000, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  471.369622][ T6471] binder_alloc_mmap_handler: 4 callbacks suppressed
[  471.369640][ T6471] binder_alloc: binder_alloc_mmap_handler: 6464 20001000-20004000 already mapped failed -16
[  471.418151][ T6467] binder: BINDER_SET_CONTEXT_MGR already set
[  471.453923][ T6467] binder: 6464:6467 ioctl 40046207 0 returned -16
[  471.481973][ T7838] binder: release 6464:6467 transaction 1550 out, still active
[  471.504332][ T7838] binder: unexpected work type, 4, not freed
17:34:38 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000080)="374e3650da6459656d782d59cc237a0adc1f123c12a40088b07021ec247fc28df6e23b319529418e34ef9247f95ac238a91010a53bf667d8a4575c515003753cc1c4729fd53a84463b5a110c72ead7c4db78ebb4dec8f80c5dabc893b9f52c70b7baa967c2edbde581596da8898dbed4df2d6bf59aea9a902ea09f4f6e0e14eb063f7311867a3223ca")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:38 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x100004000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:38 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x4c, 0x0})

[  471.534001][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  471.564707][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:38 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full\x00', 0x40, 0x0)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000140)='/dev/rtc\x00', 0x40, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
ioctl$ION_IOC_HEAP_QUERY(r1, 0xc0184908, &(0x7f0000000100)={0x34, 0x0, &(0x7f00000000c0)})

[  471.600173][ T7838] binder: send failed reply for transaction 1550, target dead
[  471.619021][ T6686] binder_alloc: binder_alloc_mmap_handler: 6684 20001000-20004000 already mapped failed -16
17:34:39 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
ioctl$FS_IOC_SETVERSION(r1, 0x40087602, &(0x7f0000000100)=0x7fffffff)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
r4 = getpgrp(0x0)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000040)={r4, r0, 0x0, 0xd, &(0x7f0000000000)='\\selfem0&*:\'\x00'}, 0x30)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
ioctl$KVM_X86_SET_MCE(r3, 0x4040ae9e, &(0x7f00000000c0)={0x0, 0x0, 0x8001, 0x2, 0x3})

[  471.665001][ T6685] binder: BINDER_SET_CONTEXT_MGR already set
[  471.694097][ T6685] binder: 6684:6685 ioctl 40046207 0 returned -16
[  471.717397][ T6740] binder_alloc_new_buf_locked: 1 callbacks suppressed
[  471.717677][ T6740] binder_alloc: 6684: binder_alloc_buf, no vma
[  471.750327][ T7838] binder: release 6684:6685 transaction 1556 out, still active
[  471.758991][ T6740] binder_transaction: 1 callbacks suppressed
17:34:39 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x100008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  471.759009][ T6740] binder: 6684:6740 transaction failed 29189/-3, size 24-8 line 3147
17:34:39 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
r2 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x80000, 0x0)
ioctl$SG_GET_VERSION_NUM(r2, 0x2282, &(0x7f0000000080))

[  471.802632][ T7838] binder: unexpected work type, 4, not freed
[  471.826737][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  471.863475][ T7838] binder: send failed reply for transaction 1556, target dead
17:34:39 executing program 1:
r0 = syz_open_dev$sndpcmc(&(0x7f0000000100)='/dev/snd/pcmC#D#c\x00', 0x853, 0x200)
ioctl$TIOCCBRK(r0, 0x5428)
ioctl$VIDIOC_ENUM_DV_TIMINGS(r0, 0xc0945662, &(0x7f0000000140)={0xfffffffffffffffd, 0x0, [], {0x0, @bt={0xfffffffffffffffe, 0xcc85, 0x0, 0x2, 0x5, 0x2, 0x9, 0x1000, 0x9, 0x5, 0x4, 0x0, 0x100, 0x9, 0xb, 0x5}}})
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl$KDGKBTYPE(r0, 0x4b33, &(0x7f0000000500))
r2 = openat$vicodec1(0xffffffffffffff9c, &(0x7f0000000080)='/dev/video37\x00', 0x2, 0x0)
openat$audio(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/audio\x00', 0x0, 0x0)
ioctl$VIDIOC_G_INPUT(r2, 0x80045626, &(0x7f00000000c0))
prctl$PR_SET_KEEPCAPS(0x8, 0x0)
ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = getpgrp(0x0)
ioctl$VHOST_GET_FEATURES(r0, 0x8008af00, &(0x7f0000000340))
process_vm_writev(r3, &(0x7f0000000580)=[{&(0x7f0000000240)=""/196, 0xc4}], 0x100000000000013d, &(0x7f00000005c0), 0x10000014, 0x0)
r4 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r4}], 0x1, 0x100000001)
r5 = syz_genetlink_get_family_id$ipvs(&(0x7f00000003c0)='IPVS\x00')
sendmsg$IPVS_CMD_GET_SERVICE(r0, &(0x7f0000000480)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x80102}, 0xc, &(0x7f0000000440)={&(0x7f00000005c0)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="200026bd700004000000000000000800051cf3970f00080004000100000008000500ff000000080024000700000054ba8c9c753a412fd3ca98fb8b7c5e98d7c1c5d13ae4bcdcec37ef7507ac2666acca174ed70a46845cc852a56a6c6a638194fb80be54641198146f1e03040f4f85fe960be9234fc13dee8fe44e812d6c789e8d147d6a0a1fcfaa02eb00000000000000000000"], 0x34}, 0x1, 0x0, 0x0, 0x40000}, 0x4)
ioctl$KDGKBENT(r0, 0x4b46, &(0x7f0000000200)={0x9, 0x800, 0xca3c})

17:34:39 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x60, 0x0})

[  471.912454][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:39 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x100008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  472.011124][ T6992] binder_alloc: binder_alloc_mmap_handler: 6931 20001000-20004000 already mapped failed -16
[  472.072632][ T6934] binder: BINDER_SET_CONTEXT_MGR already set
17:34:39 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0xffffffffffffffff, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
r2 = dup(r1)
ioctl$NBD_SET_FLAGS(r2, 0xab0a, 0x2)

17:34:39 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
keyctl$session_to_parent(0x12)
preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x13d}], 0x1, 0x0)
r1 = syz_open_procfs(0x0, &(0x7f0000000140)='comm\x00')
preadv(r1, &(0x7f0000000480), 0x10000000000001e3, 0x0)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

[  472.116409][ T6934] binder: 6931:6934 ioctl 40046207 0 returned -16
[  472.146019][ T7118] binder_alloc: 6931: binder_alloc_buf, no vma
17:34:39 executing program 3:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
r3 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x800, 0x0)
getsockopt$inet_sctp6_SCTP_INITMSG(r3, 0x84, 0x2, &(0x7f0000000040), &(0x7f00000000c0)=0x8)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  472.203880][ T7118] binder: 6931:7118 transaction failed 29189/-3, size 24-8 line 3147
[  472.204083][ T7838] binder: send failed reply for transaction 1563 to 6931:6934
17:34:39 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x68, 0x0})

[  472.252732][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  472.274702][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  472.309075][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:39 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x10000c000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  472.381340][ T7251] binder_alloc: binder_alloc_mmap_handler: 7215 20001000-20004000 already mapped failed -16
17:34:39 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x100000890f, &(0x7f0000000040)="9ebe")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)
r2 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x80100, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r2, 0x227f, &(0x7f0000000080))

[  472.443283][ T7231] binder: BINDER_SET_CONTEXT_MGR already set
[  472.467598][ T7231] binder: 7215:7231 ioctl 40046207 0 returned -16
[  472.512399][ T7311] binder_alloc: 7215: binder_alloc_buf, no vma
[  472.524405][ T7342] Unknown ioctl 8831
[  472.534922][ T7838] binder: unexpected work type, 4, not freed
[  472.542275][ T7311] binder: 7215:7311 transaction failed 29189/-3, size 24-8 line 3147
[  472.552563][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:39 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = openat$zero(0xffffffffffffff9c, &(0x7f0000000080)='/dev/zero\x00', 0x48000, 0x0)
getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r2, 0x84, 0x18, &(0x7f0000000180)={<r3=>0x0, 0x1}, &(0x7f00000001c0)=0xfffffffffffffc39)
getsockopt$inet_sctp6_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x1b, &(0x7f00000000c0)={<r4=>r3, 0xb, "605905bd6df2bdd17933dd"}, &(0x7f0000000100)=0x3f9)
setsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r2, 0x84, 0xa, &(0x7f0000000140)={0xb17, 0x1, 0x4, 0x0, 0xf61, 0x1, 0x7, 0x90, r4}, 0x20)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:39 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x6c, 0x0})

[  472.571562][ T7838] binder: send failed reply for transaction 1569, target dead
[  472.588922][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:39 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x10000c000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:40 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = openat$vim2m(0xffffffffffffff9c, &(0x7f0000000000)='/dev/video35\x00', 0x2, 0x0)
r2 = syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0x2, 0x2)
getsockopt$inet6_mtu(r2, 0x29, 0x17, &(0x7f0000000100), &(0x7f0000000140)=0x4)
ioctl$VIDIOC_STREAMON(r1, 0x40045612, &(0x7f0000000040)=0x20)
r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:40 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
r2 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x2, 0x2)
ioctl$VHOST_SET_VRING_ADDR(r2, 0x4028af11, &(0x7f0000000200)={0x3, 0x0, &(0x7f0000000080), &(0x7f00000000c0)=""/128, &(0x7f0000000140)=""/135, 0x6000})
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  472.724122][ T7476] binder_alloc: binder_alloc_mmap_handler: 7448 20001000-20004000 already mapped failed -16
[  472.807078][ T7450] binder: BINDER_SET_CONTEXT_MGR already set
[  472.817246][ T7450] binder: 7448:7450 ioctl 40046207 0 returned -16
[  472.825002][ T7559] binder_alloc: 7448: binder_alloc_buf, no vma
[  472.831771][ T7559] binder: 7448:7559 transaction failed 29189/-3, size 24-8 line 3147
[  472.841857][ T7838] binder: unexpected work type, 4, not freed
[  472.854484][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:40 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
syz_open_dev$midi(&(0x7f0000000080)='/dev/midi#\x00', 0x0, 0x200)

[  472.879614][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:40 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x74, 0x0})

17:34:40 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1, &(0x7f0000000000)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  472.938265][ T7838] binder: send failed reply for transaction 1576, target dead
17:34:40 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x200000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  473.037112][ T7687] binder_alloc: binder_alloc_mmap_handler: 7674 20001000-20004000 already mapped failed -16
[  473.102586][ T7679] binder: BINDER_SET_CONTEXT_MGR already set
[  473.108643][ T7679] binder: 7674:7679 ioctl 40046207 0 returned -16
17:34:40 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x200000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  473.160751][ T7869] binder_alloc: 7674: binder_alloc_buf, no vma
[  473.182250][ T7869] binder: 7674:7869 transaction failed 29189/-3, size 24-8 line 3147
17:34:40 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x200001000008912, &(0x7f00000001c0)="0adc1f123c12a41d88b0701d8968944292b0f3c4215ebf60a26bd0d049abf9cfbdf2")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
fsetxattr$trusted_overlay_opaque(r1, &(0x7f0000000080)='trusted.overlay.opaque\x00', &(0x7f0000000100)='y\x00', 0x2, 0x1)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:34:40 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
r3 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x69, 0x101500)
setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r3, 0x6, 0x1d, &(0x7f0000000040)={0x2, 0x100, 0x71de, 0x5000000000000, 0x1}, 0x14)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  473.211415][ T7838] binder_thread_release: 2 callbacks suppressed
[  473.211429][ T7838] binder: release 7674:7679 transaction 1583 out, still active
17:34:40 executing program 4:
r0 = getpid()
ptrace$setregset(0x4205, r0, 0x207, &(0x7f0000000000)={&(0x7f00000000c0)="4383c171c10dec635a9c7c1bce24fe38273e7099e34d3e211ac582daa36f19bbff00f9fe95f6a6f566e4f7b1662f108b76dd04adf200e861a58277a707a2f3c8df85b08381f4c62166d1605c0d26e82c112853071b53697dc09429d8951b052606e2d31e69a199028b2324d116ad6e8e1ce04177ad136e2da8", 0x79})
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r1, 0x1000208916, &(0x7f0000000080)="0adc1f123c12a41d88b0f0")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)
getsockopt$IPT_SO_GET_REVISION_MATCH(r1, 0x0, 0x42, &(0x7f0000000140)={'ipvs\x00'}, &(0x7f0000000180)=0x1e)

[  473.278854][ T7838] binder: unexpected work type, 4, not freed
17:34:40 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x7a, 0x0})

[  473.331073][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  473.419146][ T8042] binder_alloc: binder_alloc_mmap_handler: 7999 20001000-20004000 already mapped failed -16
[  473.441117][ T8017] binder: BINDER_SET_CONTEXT_MGR already set
17:34:40 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x100000890f, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
setsockopt$netlink_NETLINK_RX_RING(r1, 0x10e, 0x6, &(0x7f0000000080)={0x7, 0x7, 0x0, 0x7ff}, 0x10)

[  473.477996][ T8017] binder: 7999:8017 ioctl 40046207 0 returned -16
[  473.510547][ T7838] binder: release 7999:8017 transaction 1590 out, still active
[  473.518581][ T8042] binder_alloc: 7999: binder_alloc_buf, no vma
17:34:40 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
getegid()
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  473.540690][ T7838] binder: unexpected work type, 4, not freed
[  473.552264][ T8042] binder: 7999:8042 transaction failed 29189/-3, size 24-8 line 3147
[  473.567991][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:40 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
getgid()
getsockopt$sock_cred(0xffffffffffffff9c, 0x1, 0x11, &(0x7f0000000000), &(0x7f0000000040)=0xc)
getgroups(0x4, &(0x7f00000000c0)=[0x0, <r2=>0x0, 0xee00, 0x0])
getgroups(0x3, &(0x7f0000000100)=[0x0, 0xee00, 0x0])
getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000140), &(0x7f0000000180)=0xc)
fstat(r0, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0})
setregid(r2, r3)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:40 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x300, 0x0})

17:34:40 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x300000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  473.639822][    C0] net_ratelimit: 19 callbacks suppressed
[  473.639831][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  473.645557][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:41 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x300000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:41 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000080)="0adc1f123c12b71ce328e0")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_ON(r1, 0x7001)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  473.812892][ T8296] binder_alloc: binder_alloc_mmap_handler: 8286 20001000-20004000 already mapped failed -16
[  473.860160][ T8294] binder: BINDER_SET_CONTEXT_MGR already set
[  473.888570][ T8294] binder: 8286:8294 ioctl 40046207 0 returned -16
[  473.912179][ T8366] binder_alloc: 8286: binder_alloc_buf, no vma
[  473.940579][ T7838] binder: release 8286:8294 transaction 1596 out, still active
[  473.949208][ T8366] binder: 8286:8366 transaction failed 29189/-3, size 24-8 line 3147
17:34:41 executing program 4:
r0 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x191600, 0x0)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_INFO(r0, 0xc0bc5310, &(0x7f0000000100))
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
r2 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_MRT6_DEL_MFC_PROXY(r2, 0x29, 0xd3, &(0x7f0000000080)={{0xa, 0x4e23, 0x1d4, @local, 0xfffffffffffffffa}, {0xa, 0x4e20, 0x7, @mcast2, 0x6}, 0x7ff, [0x8, 0x5, 0x401, 0xbd, 0x0, 0xe8c, 0x0, 0x1]}, 0x5c)
ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
clock_gettime(0x2, &(0x7f00000001c0))
exit(0x31)
fcntl$F_SET_FILE_RW_HINT(r3, 0x40e, &(0x7f0000000200)=0x2)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

[  473.959304][ T7838] binder: unexpected work type, 4, not freed
[  473.972812][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:41 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x500, 0x0})

17:34:41 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = getpgid(0x0)
prctl$PR_SET_PTRACER(0x59616d61, r1)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

17:34:41 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x400000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:41 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = getpgid(0xffffffffffffffff)
getpriority(0x3, r0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x80942, 0x0)
syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x6, 0x200000)
bind$bt_rfcomm(r1, &(0x7f0000000040)={0x1f, {0x5, 0x10001, 0x2420, 0x40, 0x3000000000000000, 0x4}, 0x5}, 0xa)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  474.136556][ T8529] binder_alloc: binder_alloc_mmap_handler: 8526 20001000-20004000 already mapped failed -16
17:34:41 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x400000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  474.192565][ T8527] binder: BINDER_SET_CONTEXT_MGR already set
[  474.213750][ T8527] binder: 8526:8527 ioctl 40046207 0 returned -16
[  474.227501][ T8548] binder_alloc: 8526: binder_alloc_buf, no vma
17:34:41 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x600, 0x0})

[  474.244194][ T8548] binder: 8526:8548 transaction failed 29189/-3, size 24-8 line 3147
[  474.268776][ T7838] binder: release 8526:8527 transaction 1603 out, still active
[  474.280174][ T7838] binder: unexpected work type, 4, not freed
17:34:41 executing program 1:
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwrng\x00', 0x242100, 0x0)
ioctl$KVM_GET_API_VERSION(r0, 0xae00, 0x0)
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
ioctl$VIDIOC_S_AUDIO(r0, 0x40345622, &(0x7f00000000c0)={0x100000000, "cd0a7789956042787fd26c4a6535155fca69d8d9f8f340b8b61a7a7dd2a633ac", 0x1})

[  474.371035][ T8664] binder_alloc: binder_alloc_mmap_handler: 8659 20001000-20004000 already mapped failed -16
[  474.439823][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  474.439842][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  474.445623][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  474.451396][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  474.479619][ T8663] binder: BINDER_SET_CONTEXT_MGR already set
[  474.513817][ T8663] binder: 8659:8663 ioctl 40046207 0 returned -16
[  474.527914][ T8725] binder_alloc: 8659: binder_alloc_buf, no vma
[  474.535086][ T8725] binder: 8659:8725 transaction failed 29189/-3, size 24-8 line 3147
17:34:41 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x500000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  474.561920][ T7838] binder: release 8659:8663 transaction 1610 out, still active
[  474.589347][ T7838] binder: unexpected work type, 4, not freed
17:34:41 executing program 3:
syz_genetlink_get_family_id$tipc2(&(0x7f0000000080)='TIPCv2\x00')
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_DEASSIGN_PCI_DEVICE(r1, 0x4040ae72, &(0x7f0000000000)={0x7, 0x100000001, 0x3, 0x2, 0x7})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:41 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x700, 0x0})

17:34:41 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = dup(r0)
mmap$perf(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x2, 0x8030, r1, 0x0)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
fcntl$setstatus(r1, 0x4, 0x2000)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$GIO_FONTX(r1, 0x4b6b, &(0x7f0000000140)=""/31)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)
ioctl$VIDIOC_SUBDEV_G_DV_TIMINGS(r1, 0xc0845658, &(0x7f0000000080)={0x0, @bt={0x0, 0x54a, 0x1, 0x3, 0x1, 0x4, 0x4, 0xbc97a13, 0x4, 0xffffffffffff0000, 0x9, 0x3, 0x4, 0x3ff, 0x0, 0x1}})

[  474.617517][ T7838] binder_send_failed_reply: 4 callbacks suppressed
[  474.617525][ T7838] binder: send failed reply for transaction 1610, target dead
[  474.679803][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  474.685672][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  474.737179][ T8794] binder: BINDER_SET_CONTEXT_MGR already set
[  474.756272][ T8810] binder_alloc: 8793: binder_alloc_buf, no vma
[  474.778703][ T8794] binder: 8793:8794 ioctl 40046207 0 returned -16
[  474.805158][ T7838] binder: release 8793:8794 transaction 1617 out, still active
[  474.815691][ T8810] binder: 8793:8810 transaction failed 29189/-3, size 24-8 line 3147
[  474.829637][ T7838] binder: unexpected work type, 4, not freed
[  474.851347][ T7838] binder: send failed reply for transaction 1617, target dead
17:34:42 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
fsetxattr$trusted_overlay_opaque(r0, &(0x7f0000000000)='trusted.overlay.opaque\x00', &(0x7f0000000080)='y\x00', 0x2, 0x2)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

17:34:42 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x500000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:42 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = syz_open_dev$mice(&(0x7f00000000c0)='/dev/input/mice\x00', 0x0, 0x80000)
ioctl$NBD_SET_BLKSIZE(r1, 0xab01, 0x8)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

17:34:42 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0xa00, 0x0})

17:34:42 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x600000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:42 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x0, 0x2)
creat(&(0x7f0000000140)='./file0\x00', 0x8)
syz_kvm_setup_cpu$x86(r1, r2, &(0x7f0000699000/0x18000)=nil, &(0x7f00000000c0)=[@text32={0x20, &(0x7f0000000040)="3626660f3881247c360fc71e650f35c401440f20c03505000000440f22c0f3660f080f21160f080f20c60f0019", 0x2d}], 0x1, 0x40, &(0x7f0000000100)=[@flags={0x3, 0x210}], 0x1)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x1)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  475.058249][ T9048] binder: BINDER_SET_CONTEXT_MGR already set
[  475.070835][ T7838] binder: release 9013:9048 transaction 1623 out, still active
[  475.079106][ T9048] binder: 9013:9048 ioctl 40046207 0 returned -16
[  475.079803][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  475.091447][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  475.092034][ T7838] binder: unexpected work type, 4, not freed
17:34:42 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x2000, 0x0})

[  475.140748][ T7838] binder_release_work: 6 callbacks suppressed
[  475.140754][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:42 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = syz_open_procfs(0x0, &(0x7f0000000000)='net/rt_acct\x00')
getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r1, 0x84, 0x1d, &(0x7f0000000100)={0x8, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000140)=0x24)
getsockopt$inet_sctp6_SCTP_EVENTS(r1, 0x84, 0xb, &(0x7f0000000080), &(0x7f00000000c0)=0xb)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

[  475.208396][ T7838] binder: send failed reply for transaction 1623, target dead
[  475.241918][ T9232] binder: BINDER_SET_CONTEXT_MGR already set
17:34:42 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)
r2 = open(&(0x7f0000000080)='./file0\x00', 0x80000, 0x8)
ioctl$VIDIOC_TRY_ENCODER_CMD(r2, 0xc028564e, &(0x7f00000000c0)={0x1, 0x1, [0xed6, 0x40a1, 0x100000000, 0xfff, 0xfffffffffffffffb, 0x9, 0xa109, 0x2]})

[  475.311067][ T9232] binder: 9231:9232 ioctl 40046207 0 returned -16
[  475.330504][ T7838] binder: send failed reply for transaction 1629 to 9231:9232
17:34:42 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x3f00, 0x0})

[  475.380817][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:42 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x600000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:42 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  475.501943][ T9411] binder: BINDER_SET_CONTEXT_MGR already set
[  475.509541][ T7838] binder: release 9382:9411 transaction 1635 out, still active
[  475.525027][ T9411] binder: 9382:9411 ioctl 40046207 0 returned -16
[  475.540665][ T7838] binder: unexpected work type, 4, not freed
17:34:42 executing program 1:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cpu.stat\x00', 0x275a, 0x0)
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r1, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f3188b070")
pread64(r0, &(0x7f0000000640)=""/191, 0xfffffffe, 0x0)

17:34:42 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
fsetxattr$trusted_overlay_nlink(r2, &(0x7f0000000000)='trusted.overlay.nlink\x00', &(0x7f0000000040)={'U-', 0x5}, 0x28, 0x3)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:42 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x4800, 0x0})

[  475.549364][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  475.570521][ T7838] binder: send failed reply for transaction 1635, target dead
17:34:42 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x700000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  475.712114][ T9486] binder: BINDER_SET_CONTEXT_MGR already set
[  475.753559][ T7838] binder: release 9476:9486 transaction 1641 out, still active
[  475.762311][ T9486] binder: 9476:9486 ioctl 40046207 0 returned -16
[  475.776133][ T7838] binder: unexpected work type, 4, not freed
17:34:43 executing program 4:
r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x400000, 0x0)
ioctl$KDGKBSENT(r0, 0x4b48, &(0x7f0000000080)={0x1, 0x4be1, 0x9})
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_INFO(r0, 0xc0bc5310, &(0x7f00000000c0))
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
ioctl$DRM_IOCTL_WAIT_VBLANK(r0, 0xc018643a, &(0x7f0000000180)={0x3e, 0xdc53, 0x1d})
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

[  475.803132][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:43 executing program 1:
pipe2(&(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff}, 0x0)
r1 = syz_open_procfs(0x0, &(0x7f0000000280)='net/unix\x00')
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000180)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
sendfile(r0, r1, 0x0, 0x80000001)

17:34:43 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x4c00, 0x0})

[  475.828030][ T7838] binder: send failed reply for transaction 1641, target dead
[  475.957671][ T9744] binder: BINDER_SET_CONTEXT_MGR already set
[  475.973213][ T7838] binder: release 9715:9744 transaction 1647 out, still active
[  475.994207][ T9744] binder: 9715:9744 ioctl 40046207 0 returned -16
17:34:43 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
madvise(&(0x7f000064e000/0x3000)=nil, 0x3000, 0x9)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:43 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  476.007732][ T7838] binder: unexpected work type, 4, not freed
[  476.022519][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:43 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x6000, 0x0})

[  476.068474][ T7838] binder_release_work: 8 callbacks suppressed
[  476.068481][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  476.123922][ T7838] binder: send failed reply for transaction 1647, target dead
[  476.154619][ T9906] binder: BINDER_SET_CONTEXT_MGR already set
[  476.179384][ T7838] binder: unexpected work type, 4, not freed
[  476.187471][ T9906] binder: 9901:9906 ioctl 40046207 0 returned -16
[  476.194259][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  476.207583][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  476.239690][ T7838] binder: send failed reply for transaction 1653, target dead
17:34:43 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x700000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:43 executing program 1:
r0 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_tx_ring(r0, 0x107, 0xd, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x30b)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000ff0000/0x10000)=nil, 0x10000, 0x0, 0x13012, r0, 0x0)
clone(0x0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, &(0x7f0000000080))

17:34:43 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x700008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:43 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
prctl$PR_SET_FPEMU(0xa, 0x1)
r1 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x3, 0x100000000101000)
ioctl$VIDIOC_LOG_STATUS(r1, 0x5646, 0x0)
bind$pptp(r1, &(0x7f0000000080)={0x18, 0x2, {0x3, @local}}, 0x1e)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r2, 0x80247009)

17:34:43 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x6800, 0x0})

[  476.379478][T10012] binder: BINDER_SET_CONTEXT_MGR already set
[  476.395339][ T7838] binder: unexpected work type, 4, not freed
[  476.402544][T10012] binder: 10002:10012 ioctl 40046207 0 returned -16
[  476.410898][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:43 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
ioctl$GIO_CMAP(r0, 0x4b70, &(0x7f00000000c0))
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
pipe(&(0x7f0000000000)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
write$FUSE_NOTIFY_INVAL_ENTRY(r3, &(0x7f0000000040)={0x2a, 0x3, 0x0, {0x1, 0x9, 0x0, '/dev/kvm\x00'}}, 0x2a)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  476.429144][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:43 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x6c00, 0x0})

[  476.482640][ T7838] binder: send failed reply for transaction 1659, target dead
17:34:43 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = dup3(r0, r0, 0x80000)
r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000080)='TIPCv2\x00')
sendmsg$TIPC_NL_NAME_TABLE_GET(r1, &(0x7f0000000140)={&(0x7f0000000000), 0xc, &(0x7f0000000100)={&(0x7f00000000c0)={0x14, r2, 0x0, 0x70bd28, 0x25dfdbfd}, 0x14}, 0x1, 0x0, 0x0, 0x20000000}, 0x20040011)
mmap$xdp(&(0x7f0000ffe000/0x2000)=nil, 0x2000, 0x0, 0x84010, r1, 0x0)
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

[  476.630464][T10241] binder_alloc_mmap_handler: 8 callbacks suppressed
[  476.630482][T10241] binder_alloc: binder_alloc_mmap_handler: 10235 20001000-20004000 already mapped failed -16
[  476.674419][T10236] binder: BINDER_SET_CONTEXT_MGR already set
[  476.686062][T10236] binder: 10235:10236 ioctl 40046207 0 returned -16
17:34:44 executing program 1:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
getsockopt$netlink(r0, 0x10e, 0x5, &(0x7f0000000180)=""/83, &(0x7f0000000200)=0x53)

17:34:44 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x7400, 0x0})

[  476.714640][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  476.737456][ T7838] binder: send failed reply for transaction 1665 to 10235:10236
17:34:44 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x700008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:44 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/rtc\x00', 0x16140, 0x0)
openat$uinput(0xffffffffffffff9c, &(0x7f0000000000)='/dev/uinput\x00', 0x802, 0x0)
ioctl$RTC_AIE_OFF(r1, 0x80247009)

[  476.787335][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:44 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x3, &(0x7f0000ffd000/0x1000)=nil)

[  476.838566][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:44 executing program 1:
openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptmx\x00', 0x0, 0x0)
sendmsg(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000980), 0x0, 0x0, 0xfffffffffffffe03}, 0x0)
ioctl$sock_TIOCINQ(0xffffffffffffffff, 0x541b, 0x0)
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000080)={'bpq0\x00', 0x21})
r0 = syz_open_procfs(0x0, &(0x7f00000001c0)='ns\x00')
getdents(r0, &(0x7f0000000040)=""/46, 0x2e)
perf_event_open(&(0x7f0000000100)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
socketpair(0x1, 0x5, 0x0, &(0x7f0000000740)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_SET_FILTER(r2, 0x89f1, &(0x7f0000000080)='ip6tnl0\x00')
syz_genetlink_get_family_id$team(0x0)
getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0)
io_cancel(0x0, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x5, 0x8001, 0xffffffffffffffff, 0x0, 0x0, 0x5, 0x0, 0x3}, 0x0)
getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, 0x0, 0x0)
setsockopt$XDP_TX_RING(r1, 0x11b, 0x3, &(0x7f0000000180)=0x200, 0x4)
ioctl$EVIOCSCLOCKID(0xffffffffffffffff, 0x400445a0, &(0x7f0000000040))

[  476.887002][T10360] binder_alloc: binder_alloc_mmap_handler: 10354 20001000-20004000 already mapped failed -16
17:34:44 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x800000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  476.942612][T10356] binder: BINDER_SET_CONTEXT_MGR already set
[  476.975574][T10356] binder: 10354:10356 ioctl 40046207 0 returned -16
17:34:44 executing program 4:
r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000000)='/dev/uinput\x00', 0x0, 0x0)
read(r0, &(0x7f00000001c0)=""/8, 0x8)

[  476.990352][T10439] binder_alloc_new_buf_locked: 8 callbacks suppressed
[  476.990362][T10439] binder_alloc: 10354: binder_alloc_buf, no vma
[  477.014023][T10439] binder_transaction: 8 callbacks suppressed
[  477.014041][T10439] binder: 10354:10439 transaction failed 29189/-3, size 24-8 line 3147
[  477.065511][ T7838] binder: unexpected work type, 4, not freed
[  477.092046][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:44 executing program 4:
perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x800000000000012, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_mreq(r0, 0x29, 0x1b, &(0x7f0000000080)={@remote}, 0x14)
setsockopt$inet6_mreq(r0, 0x29, 0x1b, &(0x7f0000000040)={@remote}, 0xffffffffffffffbd)

[  477.130474][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:44 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x7a00, 0x0})

[  477.171759][ T7838] binder: send failed reply for transaction 1671, target dead
17:34:44 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x800000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:44 executing program 1:
r0 = syz_open_dev$video(&(0x7f0000000080)='/dev/video#\x00', 0x1be62701, 0x0)
ioctl$VIDIOC_S_EXT_CTRLS(r0, 0xc0205649, &(0x7f0000000040)={0x0, 0x100000001, 0x0, [], &(0x7f0000000140)={0x98f903, 0x0, [], @ptr}})

17:34:44 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'team_slave_1\x00'})
r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x521000, 0x0)
connect$can_bcm(r1, &(0x7f0000000040), 0x10)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  477.305462][T10608] binder_alloc: binder_alloc_mmap_handler: 10599 20001000-20004000 already mapped failed -16
[  477.340466][T10600] binder: BINDER_SET_CONTEXT_MGR already set
[  477.379917][T10600] binder: 10599:10600 ioctl 40046207 0 returned -16
[  477.424688][ T7838] binder: unexpected work type, 4, not freed
[  477.431637][T10608] binder_alloc: 10599: binder_alloc_buf, no vma
[  477.439078][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  477.460021][ T7838] binder: send failed reply for transaction 1678, target dead
17:34:44 executing program 1:
r0 = creat(&(0x7f0000000080)='./bus\x00', 0x0)
r1 = creat(&(0x7f00000000c0)='./bus\x00', 0x0)
fcntl$setstatus(r1, 0x4, 0x6100)
ftruncate(r1, 0x208200)
r2 = open(&(0x7f0000000040)='./bus\x00', 0x0, 0x0)
sendfile(r1, r2, 0x0, 0x8000fffffffe)
r3 = open(&(0x7f0000000140)='./bus\x00', 0x141042, 0x0)
ftruncate(r1, 0x3bb7)
r4 = creat(&(0x7f00000001c0)='./file0\x00', 0x0)
write$P9_RREMOVE(r4, &(0x7f0000000280)={0x7}, 0xff7f)
syncfs(r0)
ioctl$EXT4_IOC_MOVE_EXT(r3, 0xc028660f, &(0x7f0000000100)={0x0, r4})

[  477.468020][T10608] binder: 10599:10608 transaction failed 29189/-3, size 24-8 line 3147
[  477.479096][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:44 executing program 4:
r0 = epoll_create1(0x0)
r1 = epoll_create1(0x0)
close(r0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer\x00', 0x141202, 0x0)
epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f0000c85000))

17:34:44 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x1000000, 0x0})

17:34:44 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x800008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  477.671788][T10758] binder_alloc: binder_alloc_mmap_handler: 10727 20001000-20004000 already mapped failed -16
17:34:45 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
dup(r0)
pipe(&(0x7f00000000c0)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$VIDIOC_S_OUTPUT(r2, 0xc004562f, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x80000000, 0x400000)
bind$rds(r4, &(0x7f0000000040)={0x2, 0x4e22, @multicast2}, 0x10)
r5 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setregid(0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r6, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
write$RDMA_USER_CM_CMD_CREATE_ID(r4, &(0x7f0000000140)={0x0, 0x18, 0xfa00, {0x1, &(0x7f0000000100)={<r7=>0xffffffffffffffff}, 0x0, 0xb}}, 0x20)
write$RDMA_USER_CM_CMD_RESOLVE_ADDR(r1, &(0x7f0000000180)={0x15, 0x110, 0xfa00, {r7, 0x0, 0x0, 0x0, 0x0, @ib={0x1b, 0x12d4, 0x7ba1, {"8feb9eb3b4a87a0485583443dc677d87"}, 0x3, 0xfff, 0x6}, @ib={0x1b, 0x1, 0xe1, {"7c76a67ee938914aa34f775e1e0244b4"}, 0x1, 0x2b, 0xfff}}}, 0x118)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:45 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x800008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  477.728759][T10747] binder: BINDER_SET_CONTEXT_MGR already set
[  477.755279][T10747] binder: 10727:10747 ioctl 40046207 0 returned -16
17:34:45 executing program 4:
r0 = epoll_create1(0x0)
r1 = epoll_create1(0x0)
close(r0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer\x00', 0x141202, 0x0)
epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f0000c85000))

[  477.832708][ T7838] binder: send failed reply for transaction 1684 to 10727:10747
17:34:45 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x2000000, 0x0})

[  477.881095][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:45 executing program 1:
r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r1 = socket$inet(0x2, 0x4000000000000001, 0x0)
r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000400)='/dev/autofs\x00', 0x181800, 0x0)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000580)='IPVS\x00')
setsockopt$inet_tcp_int(r1, 0x6, 0x80000000000002, &(0x7f00000006c0)=0x200, 0x20)
recvmsg(0xffffffffffffffff, &(0x7f00000002c0)={&(0x7f0000000340)=@rc, 0x80, &(0x7f0000000840)=[{0x0}, {&(0x7f0000000780)=""/144, 0x90}, {&(0x7f0000000240)=""/6, 0x6}], 0x3, 0x0, 0x0, 0x5}, 0x40010000)
getsockopt$bt_BT_SECURITY(r2, 0x112, 0x4, &(0x7f0000000180), 0x2)
bind$inet(r1, &(0x7f0000deb000)={0x2, 0x4e23, @multicast1}, 0x10)
sendto$inet(r1, 0x0, 0x0, 0x200007fd, &(0x7f00000008c0)={0x2, 0x4e23, @loopback}, 0x10)
setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000100), 0x4)
add_key$user(&(0x7f0000000000)='user\x00', &(0x7f00000001c0)={'syz', 0x1}, &(0x7f0000001b80)="aa9cfa79f3956f0c96361d78aa4cb0f5b55fbb36727d15ca869365de841c258d54f210c8a890de59eeda570ef7c1607238632cbe0a036d853f5a86025b197f5d4a9635aa46ca1edeb2", 0x49, 0xfffffffffffffff8)
r3 = add_key$keyring(0x0, &(0x7f0000000440)={'syz', 0x1}, 0x0, 0x0, 0xfffffffffffffffb)
add_key(&(0x7f00000009c0)='.dead\x00', &(0x7f0000000a00)={'syz'}, 0x0, 0x0, r3)
recvmsg(r1, &(0x7f00000005c0)={&(0x7f0000000040)=@nfc, 0x80, &(0x7f0000000740)=[{&(0x7f0000003ac0)=""/4096, 0xd400}], 0x1, &(0x7f0000000200)=""/20, 0x14}, 0x100)
getsockopt$bt_rfcomm_RFCOMM_LM(0xffffffffffffffff, 0x12, 0x3, &(0x7f0000001a80), 0x0)
ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f0000003fe8))
ioctl$EXT4_IOC_PRECACHE_EXTENTS(0xffffffffffffffff, 0x6612)
openat$sequencer2(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/sequencer2\x00', 0x0, 0x0)
write$binfmt_elf64(r1, &(0x7f0000002300)=ANY=[@ANYRES64], 0x1000001bd)
getsockopt$inet_sctp6_SCTP_PR_SUPPORTED(r0, 0x84, 0x71, &(0x7f00000000c0)={0x0, 0x2}, &(0x7f0000000140)=0x8)

[  478.001308][T10962] binder_alloc: binder_alloc_mmap_handler: 10957 20001000-20004000 already mapped failed -16
17:34:45 executing program 4:
r0 = syz_open_dev$vivid(&(0x7f0000000040)='/dev/video#\x00', 0x2, 0x2)
ioctl$VIDIOC_ENUM_FREQ_BANDS(r0, 0xc0405665, &(0x7f0000000080)={0x0, 0x2, 0x2})

[  478.092508][T10960] binder: BINDER_SET_CONTEXT_MGR already set
17:34:45 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x900000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  478.160018][T10960] binder: 10957:10960 ioctl 40046207 0 returned -16
17:34:45 executing program 4:
socketpair(0x0, 0x0, 0x3, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000001bc0)={0x0, 0x0, 0x0, 0x0, 0x200, 0x0, 0x0, 0x0, 0x1, [], 0x0, 0xc}, 0x48)
setsockopt$sock_attach_bpf(0xffffffffffffffff, 0x1, 0x32, 0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xbfffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='/group.stat\x00', 0x2761, 0x0)
r1 = perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0x615, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$cgroup_procs(r0, &(0x7f0000000000)='cgroup.threads\x00', 0x2, 0x0)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000280)={0xffffffffffffffff, r0, 0x0, 0x0, 0x0}, 0x30)
sendmsg$kcm(r0, &(0x7f0000001a40)={&(0x7f00000002c0)=@pppol2tp={0x18, 0x1, {0x0, r0, {0x2, 0x4e21, @remote}, 0x4, 0x0, 0x2, 0x1}}, 0x80, 0x0}, 0x0)
close(r1)

[  478.235337][ T7838] binder: send failed reply for transaction 1689 to 10957:10960
17:34:45 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x3000000, 0x0})

[  478.280116][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
17:34:45 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x900000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:45 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000ffa000/0x3000)=nil, 0x3000, 0x200008, 0x5c832, r0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_X86_SET_MCE(r1, 0x4040ae9e, &(0x7f0000000000)={0x2200000000000000, 0x10f001, 0x9, 0x4, 0xb})
setregid(0x0, 0x0)
r3 = syz_open_procfs(0x0, &(0x7f0000000140)='uid_map\x00')
setsockopt$inet_sctp_SCTP_AUTH_CHUNK(r3, 0x84, 0x15, &(0x7f0000000180)={0x400000000000}, 0x1)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:45 executing program 1:
perf_event_open(&(0x7f0000000040)={0x1, 0x43, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$EVIOCSABS0(0xffffffffffffffff, 0x401845c0, &(0x7f0000000000)={0x0, 0x0, 0x9, 0x0, 0x1, 0xffff})
r0 = socket(0x1, 0x5, 0x0)
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f00000001c0)={0x0, <r1=>0x0}, &(0x7f0000000200)=0x5)
setreuid(0x0, r1)
capset(&(0x7f0000000380)={0x19980330}, &(0x7f0000001fe8)={0x20000fffffffc, 0xffffffffffffffff})
setpriority(0x2, 0x0, 0x0)

[  478.437914][T11159] binder_alloc: binder_alloc_mmap_handler: 11103 20001000-20004000 already mapped failed -16
17:34:45 executing program 4:
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000003c0)={0xb, 0x5, 0x9, 0x5, 0x1}, 0x2c)
bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000000)={r0, 0x0, 0x0}, 0x18)
ioctl$FS_IOC_FSGETXATTR(0xffffffffffffffff, 0x801c581f, &(0x7f0000000180)={0x7, 0x81})
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f00000001c0)={r0, &(0x7f0000000000), 0x0}, 0x20)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000400)={r0, &(0x7f0000000180), 0x0}, 0x20)

[  478.530292][T11149] binder: BINDER_SET_CONTEXT_MGR already set
[  478.552555][T11197] capability: warning: `syz-executor.1' uses 32-bit capabilities (legacy support in use)
[  478.584100][T11149] binder: 11103:11149 ioctl 40046207 0 returned -16
[  478.632476][T11204] binder_alloc: 11103: binder_alloc_buf, no vma
[  478.668411][T11204] binder: 11103:11204 transaction failed 29189/-3, size 24-8 line 3147
[  478.680904][ T7838] binder_thread_release: 4 callbacks suppressed
[  478.680917][ T7838] binder: release 11103:11149 transaction 1694 out, still active
17:34:46 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:46 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x4000000, 0x0})

[  478.762917][ T7838] binder: unexpected work type, 4, not freed
[  478.812672][ T7838] binder: undelivered TRANSACTION_ERROR: 29189
[  478.839798][    C1] net_ratelimit: 19 callbacks suppressed
[  478.839807][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  478.850046][T11413] binder: BINDER_SET_CONTEXT_MGR already set
[  478.851527][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:46 executing program 4:
r0 = syz_open_dev$evdev(&(0x7f0000000180)='/dev/input/event#\x00', 0x2, 0x0)
r1 = dup(r0)
ioctl$EVIOCGRAB(r0, 0x40044590, &(0x7f0000000100))
ioctl$TIOCSBRK(r1, 0x40044590)

17:34:46 executing program 1:
r0 = socket(0x10, 0x80002, 0x0)
bind$netlink(0xffffffffffffffff, 0x0, 0x0)
setsockopt$IP_VS_SO_SET_ADD(r0, 0x0, 0x482, &(0x7f0000000040)={0x0, @multicast1, 0x0, 0x0, 'lblcr\x00'}, 0x2c)

[  478.886888][T11413] binder: 11410:11413 ioctl 40046207 0 returned -16
[  478.923288][T11420] binder: 11410:11420 transaction failed 29189/-22, size 24-8 line 2994
17:34:46 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x741100, 0x0)
readlink(&(0x7f0000001100)='./file0\x00', &(0x7f0000001140)=""/112, 0x70)
getsockopt$bt_rfcomm_RFCOMM_CONNINFO(r1, 0x12, 0x2, &(0x7f00000000c0)=""/4096, &(0x7f0000000040)=0x1000)
ioctl$sock_TIOCINQ(r1, 0x541b, &(0x7f00000010c0))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  478.979478][T11413] binder: 11410:11413 IncRefs 0 refcount change on invalid ref 0 ret -22
17:34:46 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xa00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  479.061680][T11420] binder_alloc: binder_alloc_mmap_handler: 11410 20001000-20004000 already mapped failed -16
17:34:46 executing program 1:
r0 = socket$inet6(0xa, 0x2, 0x0)
bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e20}, 0x1c)
sendto$inet6(r0, 0x0, 0x0, 0x0, 0x0, 0x0)
write$binfmt_misc(r0, &(0x7f0000000200)=ANY=[], 0x0)
setsockopt$inet6_int(r0, 0x29, 0x4d, &(0x7f00000000c0)=0x200006d26, 0x4)
read(r0, &(0x7f0000000140)=""/165, 0x1000000eb)

[  479.131482][T11413] binder: 11410:11413 transaction failed 29189/-22, size 24-8 line 2994
17:34:46 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:46 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x5000000, 0x0})

[  479.239807][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  479.245803][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:46 executing program 4:
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
mremap(&(0x7f0000a94000/0x2000)=nil, 0x2000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil)
perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x800000000000012, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mount(0x0, 0x0, &(0x7f00005f7ffa)='ramfs\x00', 0x0, 0x0)
mlock(&(0x7f0000400000/0x4000)=nil, 0x4000)
munlockall()

[  479.358034][T11645] binder_alloc: binder_alloc_mmap_handler: 11638 20001000-20004000 already mapped failed -16
17:34:46 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000e77000/0x4000)=nil, 0x4000, 0x0, 0x0, 0x3f, 0x1)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = openat$vicodec0(0xffffffffffffff9c, &(0x7f0000000100)='/dev/video36\x00', 0x2, 0x0)
ioctl$VIDIOC_DECODER_CMD(r0, 0xc0485660, &(0x7f0000000140)={0x7, 0x2, @start={0x2, 0x1}})
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$amidi(&(0x7f0000000000)='/dev/amidi#\x00', 0x10001, 0x40040)
connect$caif(r2, &(0x7f0000000040)=@rfm={0x25, 0x7ff, "0cdbccf367114a6162cc7d35b64ad142"}, 0x18)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f00000000c0))
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  479.399855][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  479.405727][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  479.432415][T11642] binder: BINDER_SET_CONTEXT_MGR already set
[  479.473900][T11642] binder: 11638:11642 ioctl 40046207 0 returned -16
17:34:46 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xb00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  479.521633][ T7838] binder: release 11638:11642 transaction 1703 out, still active
[  479.559451][ T7838] binder: unexpected work type, 4, not freed
17:34:46 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x6000000, 0x0})

17:34:46 executing program 4:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cpu.stat\x00', 0x275a, 0x0)
pread64(r0, &(0x7f0000000640)=""/191, 0xfffffffe, 0x1000)

17:34:47 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xd00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  479.725739][T11765] binder_alloc: binder_alloc_mmap_handler: 11762 20001000-20004000 already mapped failed -16
17:34:47 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = socket$inet6(0xa, 0x400000000001, 0x0)
close(r1)
open(&(0x7f0000002000)='./bus\x00', 0x0, 0x0)
ftruncate(0xffffffffffffffff, 0x8000)
lgetxattr(0x0, &(0x7f0000000240)=ANY=[@ANYRESOCT], 0x0, 0xfffffd4f)
r2 = socket$inet6(0xa, 0x2, 0x0)
connect$inet6(r2, &(0x7f0000000080)={0xa, 0x4e24, 0x0, @ipv4={[], [], @loopback}}, 0x1c)
sendmmsg(r2, &(0x7f00000092c0), 0x800010b, 0x18)

[  479.777026][T11763] binder: BINDER_SET_CONTEXT_MGR already set
[  479.801390][T11763] binder: 11762:11763 ioctl 40046207 0 returned -16
[  479.854357][ T7838] binder: release 11762:11763 transaction 1708 out, still active
[  479.879912][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  479.885857][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  479.894048][ T7838] binder: unexpected work type, 4, not freed
17:34:47 executing program 3:
pipe2(&(0x7f00000000c0)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x4000)
ioctl$DRM_IOCTL_WAIT_VBLANK(r0, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
r3 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vfio/vfio\x00', 0x400000, 0x0)
ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={<r4=>r2})
ioctl$sock_inet_tcp_SIOCATMARK(r4, 0x8905, &(0x7f0000000040))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r5 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
fsetxattr$trusted_overlay_upper(r3, &(0x7f0000000140)='trusted.overlay.upper\x00', &(0x7f0000000180)={0x0, 0xfb, 0x15, 0x5, 0x0, "422240684b48aafc7bde545e1ab8c8d1"}, 0x15, 0x3)
ioctl$EXT4_IOC_SETFLAGS(r4, 0x40086602, &(0x7f0000000200)=0x80)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r6, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
ioctl$TUNGETFEATURES(r0, 0x800454cf, &(0x7f00000001c0))
epoll_ctl$EPOLL_CTL_DEL(r1, 0x2, r5)

17:34:47 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x7000000, 0x0})

[  479.944283][ T7838] binder_send_failed_reply: 2 callbacks suppressed
[  479.944289][ T7838] binder: send failed reply for transaction 1708, target dead
[  480.046804][T11794] binder_alloc: binder_alloc_mmap_handler: 11780 20001000-20004000 already mapped failed -16
[  480.127676][T11785] binder: BINDER_SET_CONTEXT_MGR already set
[  480.171134][T11785] binder: 11780:11785 ioctl 40046207 0 returned -16
17:34:47 executing program 1:
syz_open_procfs(0xffffffffffffffff, 0x0)
openat$hwrng(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hwrng\x00', 0x408001, 0x0)
openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x1, 0x0)
mkdir(&(0x7f0000000140)='./file0\x00', 0x0)
mount(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000140)='rpc_pipefs\x00', 0x0, 0x0)

17:34:47 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xd00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:47 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1400000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:47 executing program 4:
perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x800000000000012, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
semtimedop(0x0, &(0x7f0000000380)=[{}], 0x1, 0x0)

17:34:47 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0xa000000, 0x0})

[  480.249916][ T7838] binder: send failed reply for transaction 1713 to 11780:11785
[  480.283904][ T7838] binder_release_work: 5 callbacks suppressed
[  480.283910][ T7838] binder: undelivered TRANSACTION_COMPLETE
17:34:47 executing program 4:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000001280)={&(0x7f0000000000)=ANY=[@ANYBLOB="ff0f0000000000001800120008000100736974000c00020008000a0048911559b0ecf0548ac6d59c825e0484213c", @ANYRES32=0x0], 0x2}}, 0x0)

17:34:47 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
getegid()
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  480.354849][T12019] binder: BINDER_SET_CONTEXT_MGR already set
[  480.376819][T12034] binder_alloc: 12005: binder_alloc_buf, no vma
[  480.388456][T12019] binder: 12005:12019 ioctl 40046207 0 returned -16
[  480.398789][T12034] binder: 12005:12034 transaction failed 29189/-3, size 24-8 line 3147
[  480.436198][ T7838] binder: release 12005:12019 transaction 1718 out, still active
[  480.450847][ T7838] binder: unexpected work type, 4, not freed
17:34:47 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x20000000, 0x0})

17:34:47 executing program 1:
perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x800000000000012, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x2, 0x0)
write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c)
ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11)
ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0x0)
ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0)
write$uinput_user_dev(r0, &(0x7f0000000880)={'syz1\x00', {}, 0x11, [0x7ff]}, 0x45c)

[  480.488919][ T7838] binder: undelivered TRANSACTION_COMPLETE
[  480.528821][ T7838] binder: send failed reply for transaction 1718, target dead
17:34:47 executing program 4:
r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x1802, 0x0)
write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c)
ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0)
ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x0)

[  480.627606][T12114] binder: BINDER_SET_CONTEXT_MGR already set
[  480.634501][T12119] input: syz1 as /devices/virtual/input/input14
[  480.664950][T12117] binder_alloc: 12112: binder_alloc_buf, no vma
[  480.679787][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  480.679803][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  480.700863][   T12] binder: release 12112:12114 transaction 1724 out, still active
[  480.712067][T12114] binder: 12112:12114 ioctl 40046207 0 returned -16
17:34:48 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1400000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:48 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1900008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  480.730494][   T12] binder: unexpected work type, 4, not freed
[  480.760700][T12117] binder: 12112:12117 transaction failed 29189/-3, size 24-8 line 3147
[  480.770281][   T12] binder: undelivered TRANSACTION_COMPLETE
[  480.798849][T12122] input: syz1 as /devices/virtual/input/input15
[  480.806133][   T12] binder: send failed reply for transaction 1724, target dead
17:34:48 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
r1 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x1, 0x400000)
bpf$BPF_PROG_QUERY(0x10, &(0x7f0000000100)={r1, 0x0, 0x0, 0x8, &(0x7f00000000c0)=[0x0, 0x0], 0x2}, 0x20)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x2, 0x2)
ioctl$KDSKBLED(r2, 0x4b65, 0x0)
r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
prctl$PR_MPX_DISABLE_MANAGEMENT(0x2c)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:48 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x3f000000, 0x0})

[  480.995781][T12305] binder: BINDER_SET_CONTEXT_MGR already set
17:34:48 executing program 4:
socket$inet_udp(0x2, 0x2, 0x0)
r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000080)='/dev/fuse\x00', 0x2, 0x0)
r1 = dup3(r0, 0xffffffffffffff9c, 0x100000000007fffc)
ioctl$RTC_EPOCH_READ(r1, 0x8008700d, &(0x7f0000000000))
r2 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r2, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_PIE_OFF(r3, 0x7006)

[  481.056046][   T12] binder: release 12277:12305 transaction 1730 out, still active
[  481.064913][T12305] binder: 12277:12305 ioctl 40046207 0 returned -16
[  481.080337][   T12] binder: unexpected work type, 4, not freed
[  481.086346][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:48 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1900008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:48 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x48000000, 0x0})

[  481.138889][   T12] binder: send failed reply for transaction 1730, target dead
17:34:48 executing program 1:
mkdir(&(0x7f0000000040)='./file0\x00', 0x0)
fcntl$lock(0xffffffffffffffff, 0x27, 0x0)
syz_open_pts(0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0xee67, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f000001d000)={0x8000000000001, 0x118, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = syz_open_procfs(0x0, &(0x7f0000000100)='net/igmp6\x00')
sendmsg(0xffffffffffffffff, &(0x7f0000002fc8)={0x0, 0x0, &(0x7f0000000540)}, 0x0)
preadv(r0, &(0x7f00000017c0), 0x1fe, 0x400000000000)
setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, &(0x7f0000000440)='veth1\x00\x00\x00\x00\xff\xff\xff\xff\xff\xef\x00', 0x1000002b3)
ioctl$PPPIOCNEWUNIT(0xffffffffffffffff, 0xc004743e, 0x0)
mount$fuse(0x0, &(0x7f0000000180)='./file0\x00', &(0x7f0000000080)='fuse\x00', 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="5b2238860abc181bf793aeb0917037899cdcc7ed98755eb77063f43fa39c5944d71762b54175a3b0f7cf8ad986ea41643154cf92797d3fabb606247223076417626c7dde6fe6b1b5c8539984f7dbeec40800a3689b4ea3f628483a779b47cfdc9da7d340785e8ea53abbab139ddf6b31fd6296bdecfd4dd419762814968c83f24aaa1467516e9060eaaeff879b818b2bd6e84e57d70ee67c05cfa274bc3dd58c12bf139510a8eba2acba550732472251428894d6aa62e0dd91cad706f81ea87542b5754774bdebf887f35bfeb1b753cd146362ef9ef1f973314d084b6d2876ac2182039775f5da66852fc5f0c48e42cff48b3d010c5c80a405d493b6635990e8587a1baffdaa8d2effae72c317c6b4e78932dc59c4990a510e72e31979a7a1c971b399da65a86310368456907b8c0b8ee11744ff72e48bbd286b6d81a4afe51dcc9304ab52448219c0eb3d260abaaa254b8ab8424eb31d541c929aa585bf03b0f036"])
write$UHID_CREATE2(r0, &(0x7f0000000600)=ANY=[@ANYBLOB="0b00000073797a300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073797a3100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073797a300000000000000000000000000000000000edbecb582d2ef91d0000000000000000000000000000000000000000000000000000000000000000000000bc00000001000100b30000000500000001000000825c2d9d666568081bee5110b8c48be1d31a6aa9b35f6ef94250df35d415f8cd1d875af57e2397f4f726757b4314be97298c15f86185b2c767fbbcd0cb5973917639d1468a59f05b85258741156ab6380f0c045c884c273608c7a431d00b610db9040681edf809bf5c00a2ba01ea2eb5e563d39897616facfd2fb4cf29a45702ef8d4d1a824b6bcf0a2477ac33797c83667447f8eeb691c3985d1fd4d87cb198a485e716c6c80429e855cefbb9d425db675816f006f603665681c0d2"], 0x1)

17:34:48 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1a00008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  481.264798][T12453] binder: BINDER_SET_CONTEXT_MGR already set
17:34:48 executing program 4:
pipe(&(0x7f0000000200)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = socket$inet_udp(0x2, 0x2, 0x0)
close(r2)
write$cgroup_int(r1, &(0x7f0000000100), 0x443)
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='oom_score_adj\x00')
r3 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200)
splice(r0, 0x0, r2, 0x0, 0x8100000, 0x0)

[  481.307756][T12454] binder_alloc: 12444: binder_alloc_buf, no vma
[  481.323363][   T12] binder: release 12444:12453 transaction 1735 out, still active
[  481.332934][T12453] binder: 12444:12453 ioctl 40046207 0 returned -16
17:34:48 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/vs/schedule_icmp\x00', 0x2, 0x0)
setsockopt$packet_tx_ring(r0, 0x107, 0xd, &(0x7f00000000c0)=@req={0x1, 0x8, 0x7, 0x8}, 0x10)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0xffff, 0x800)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  481.376522][   T12] binder: unexpected work type, 4, not freed
[  481.416810][   T12] binder: undelivered TRANSACTION_COMPLETE
[  481.423640][T12454] binder: 12444:12454 transaction failed 29189/-3, size 24-8 line 3147
[  481.456618][   T12] binder: send failed reply for transaction 1735, target dead
17:34:48 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x4c000000, 0x0})

[  481.508719][   T12] binder_release_work: 5 callbacks suppressed
[  481.508727][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:48 executing program 4:
syz_open_dev$dri(0x0, 0x1, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = socket$packet(0x11, 0x40000000003, 0x300)
setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000fbe000)={0x1, &(0x7f0000000000)=[{0x80000006}]}, 0x8)

17:34:48 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1a00008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:49 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  481.667467][T12687] binder_alloc_mmap_handler: 4 callbacks suppressed
[  481.667485][T12687] binder_alloc: binder_alloc_mmap_handler: 12675 20001000-20004000 already mapped failed -16
[  481.720763][T12679] binder: BINDER_SET_CONTEXT_MGR already set
[  481.752593][T12749] binder_alloc: 12675: binder_alloc_buf, no vma
[  481.762537][T12749] binder: 12742:12749 transaction failed 29189/-3, size 0-0 line 3147
17:34:49 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$EVIOCGSND(r2, 0x8040451a, &(0x7f00000000c0)=""/126)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
connect$l2tp(r2, &(0x7f0000000000)=@pppol2tpin6={0x18, 0x1, {0x0, r0, 0x2, 0x1, 0x2, 0x4, {0xa, 0x4e22, 0x3, @dev={0xfe, 0x80, [], 0x12}, 0x5}}}, 0x32)

[  481.786426][T12679] binder: 12675:12679 ioctl 40046207 0 returned -16
[  481.810541][T12787] binder_alloc: 12675: binder_alloc_buf, no vma
17:34:49 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1d00008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:49 executing program 4:

[  481.830784][T12787] binder: 12675:12787 transaction failed 29189/-3, size 24-8 line 3147
[  481.848209][   T12] binder: release 12675:12679 transaction 1741 out, still active
17:34:49 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  481.881359][   T12] binder: unexpected work type, 4, not freed
[  481.907041][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:49 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x60000000, 0x0})

17:34:49 executing program 4:

[  481.947775][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  481.986315][T12802] binder_alloc: 12675: binder_alloc_buf, no vma
[  482.026552][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  482.049634][   T12] binder: send failed reply for transaction 1741, target dead
[  482.064062][T12802] binder: 12801:12802 transaction failed 29189/-3, size 0-0 line 3147
17:34:49 executing program 4:

[  482.086770][T12809] binder_alloc: binder_alloc_mmap_handler: 12807 20001000-20004000 already mapped failed -16
17:34:49 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x1d00008000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  482.133445][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  482.151183][T12808] binder: BINDER_SET_CONTEXT_MGR already set
[  482.170804][T12808] binder: 12807:12808 ioctl 40046207 0 returned -16
17:34:49 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  482.202553][T12815] binder_alloc: 12807: binder_alloc_buf, no vma
[  482.234882][   T12] binder: release 12807:12808 transaction 1752 out, still active
17:34:49 executing program 4:

[  482.251360][T12815] binder: 12807:12815 transaction failed 29189/-3, size 24-8 line 3147
[  482.263610][   T12] binder: unexpected work type, 4, not freed
[  482.269660][   T12] binder: undelivered TRANSACTION_COMPLETE
[  482.278163][T12820] binder_alloc: 12807: binder_alloc_buf, no vma
17:34:49 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x68000000, 0x0})

17:34:49 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x3f00000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:49 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x20000, 0x0)
openat(r0, &(0x7f0000000040)='./file0\x00', 0x400, 0x2)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
ioctl$PPPIOCGUNIT(r0, 0x80047456, &(0x7f00000000c0))

[  482.324157][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  482.340038][T12820] binder: 12819:12820 transaction failed 29189/-3, size 0-0 line 3147
[  482.348284][   T12] binder: send failed reply for transaction 1752, target dead
[  482.440712][T12832] binder_alloc: binder_alloc_mmap_handler: 12825 20001000-20004000 already mapped failed -16
[  482.455972][   T22] binder: undelivered TRANSACTION_ERROR: 29189
17:34:49 executing program 4:

[  482.487668][T12828] binder: BINDER_SET_CONTEXT_MGR already set
[  482.512095][T12835] binder_alloc: 12825: binder_alloc_buf, no vma
[  482.518513][T12831] Unknown ioctl -2147191722
[  482.523803][T12828] binder: 12825:12828 ioctl 40046207 0 returned -16
17:34:49 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  482.556797][   T12] binder: release 12825:12828 transaction 1761 out, still active
[  482.565352][T12835] binder: 12825:12835 transaction failed 29189/-3, size 24-8 line 3147
[  482.583439][   T12] binder: unexpected work type, 4, not freed
[  482.611148][   T12] binder: undelivered TRANSACTION_COMPLETE
[  482.641644][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  482.646867][T12843] binder_alloc: 12825: binder_alloc_buf, no vma
17:34:49 executing program 4:

17:34:49 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x6c000000, 0x0})

17:34:50 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  482.668409][   T12] binder: send failed reply for transaction 1761, target dead
[  482.710781][T12843] binder: 12841:12843 transaction failed 29189/-3, size 0-0 line 3147
17:34:50 executing program 4:

[  482.771419][T12852] binder_alloc: binder_alloc_mmap_handler: 12848 20001000-20004000 already mapped failed -16
[  482.787489][   T22] binder: undelivered TRANSACTION_ERROR: 29189
17:34:50 executing program 3:
r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000500)='/dev/dsp\x00', 0x2, 0x0)
syz_open_procfs(0x0, &(0x7f0000000540)='net/tcp6\x00')
syz_open_dev$usb(&(0x7f0000000580)='/dev/bus/usb/00#/00#\x00', 0x7326, 0x0)
syz_open_dev$audion(&(0x7f00000005c0)='/dev/audio#\x00', 0xfffffffffffffff9, 0x0)
syz_open_dev$midi(&(0x7f0000000600)='/dev/midi#\x00', 0x5, 0x10000)
openat$vsock(0xffffffffffffff9c, &(0x7f0000000640)='/dev/vsock\x00', 0x0, 0x0)
syz_open_dev$vcsn(&(0x7f0000000680)='/dev/vcs#\x00', 0x6, 0x80000)
ioctl$DRM_IOCTL_WAIT_VBLANK(r0, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
r4 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x20000, 0x0)
ioctl$sock_bt_hidp_HIDPGETCONNLIST(r4, 0x800448d2, &(0x7f0000000040)={0x7, &(0x7f00000000c0)=[{}, {}, {}, {}, {}, {}, {}]})
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  482.830491][T12849] binder: BINDER_SET_CONTEXT_MGR already set
17:34:50 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:50 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x4000000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  482.887249][T12849] binder: 12848:12849 ioctl 40046207 0 returned -16
17:34:50 executing program 4:

[  482.938284][   T12] binder: unexpected work type, 4, not freed
[  482.962247][T12863] binder_alloc: 12848: binder_alloc_buf, no vma
[  482.963207][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:50 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x74000000, 0x0})

[  483.023398][T12863] binder: 12861:12863 transaction failed 29189/-3, size 0-0 line 3147
[  483.031175][   T12] binder: send failed reply for transaction 1770, target dead
17:34:50 executing program 4:

[  483.093343][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:50 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  483.147675][T12877] binder_alloc: binder_alloc_mmap_handler: 12873 20001000-20004000 already mapped failed -16
17:34:50 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x5000000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:50 executing program 4:

[  483.206714][T12874] binder: BINDER_SET_CONTEXT_MGR already set
[  483.235788][T12874] binder: 12873:12874 ioctl 40046207 0 returned -16
[  483.263834][T12880] binder_alloc: 12873: binder_alloc_buf, no vma
17:34:50 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x10000, 0x0)
ioctl$VT_GETMODE(r0, 0x5601, &(0x7f0000000040))
ioctl$SNDRV_TIMER_IOCTL_STOP(r0, 0x54a1)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  483.304946][T12880] binder: 12879:12880 transaction failed 29189/-3, size 0-0 line 3147
[  483.330496][T12886] binder_alloc: 12873: binder_alloc_buf, no vma
[  483.355114][T12886] binder: 12873:12886 transaction failed 29189/-3, size 24-8 line 3147
[  483.369667][   T12] binder: send failed reply for transaction 1777 to 12873:12874
17:34:50 executing program 4:

17:34:50 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x7a000000, 0x0})

17:34:50 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  483.400640][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  483.429486][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:50 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x5000000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:50 executing program 4:

[  483.535006][T12902] binder_alloc: binder_alloc_mmap_handler: 12897 20001000-20004000 already mapped failed -16
[  483.591724][T12899] binder: BINDER_SET_CONTEXT_MGR already set
[  483.620430][T12899] binder: 12897:12899 ioctl 40046207 0 returned -16
17:34:50 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:50 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  483.637098][T12907] binder_alloc: 12897: binder_alloc_buf, no vma
[  483.653285][T12907] binder: 12897:12907 transaction failed 29189/-3, size 24-8 line 3147
[  483.678742][   T12] binder: unexpected work type, 4, not freed
[  483.700030][   T12] binder: send failed reply for transaction 1785, target dead
17:34:51 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0xfdfdffff, 0x0})

17:34:51 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000040)={0x0, r0, 0x0, 0x1, &(0x7f0000000000)='\x00'}, 0x30)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000100)={0xffffffffffffffff, r0, 0x0, 0x9, &(0x7f00000000c0)='/dev/kvm\x00', 0xffffffffffffffff}, 0x30)
getsockopt$sock_cred(0xffffffffffffff9c, 0x1, 0x11, &(0x7f0000000140)={<r1=>0x0}, &(0x7f0000000180)=0xc)
ioctl$sock_FIOGETOWN(0xffffffffffffffff, 0x8903, &(0x7f00000001c0))
getpriority(0x2, r1)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:51 executing program 4:

[  483.752371][T12915] binder: 12914:12915 Acquire 1 refcount change on invalid ref 0 ret -22
[  483.816730][T12915] binder: 12914:12915 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
[  483.835273][T12921] binder_alloc: binder_alloc_mmap_handler: 12917 20001000-20004000 already mapped failed -16
17:34:51 executing program 4:

[  483.889434][T12915] binder_alloc: 12917: binder_alloc_buf, no vma
[  483.920057][T12919] binder: BINDER_SET_CONTEXT_MGR already set
[  483.929502][T12915] binder: 12914:12915 transaction failed 29189/-3, size 0-0 line 3147
17:34:51 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x8000000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  483.959850][T12919] binder: 12917:12919 ioctl 40046207 0 returned -16
[  483.976235][T12930] binder_alloc: 12917: binder_alloc_buf, no vma
17:34:51 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:51 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0xfffffdfd, 0x0})

[  484.036973][   T12] binder: send failed reply for transaction 1794 to 12917:12919
[  484.044826][    C0] net_ratelimit: 19 callbacks suppressed
[  484.044837][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  484.044895][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:51 executing program 4:

[  484.134173][T12941] binder_alloc: binder_alloc_mmap_handler: 12935 20001000-20004000 already mapped failed -16
17:34:51 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xf6ffffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:51 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:51 executing program 4:

[  484.219453][T12939] binder: BINDER_SET_CONTEXT_MGR already set
[  484.259091][T12939] binder: 12935:12939 ioctl 40046207 0 returned -16
17:34:51 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000000)=<r3=>0x0)
getpriority(0x3, r3)

[  484.296466][   T12] binder_thread_release: 3 callbacks suppressed
[  484.296476][   T12] binder: release 12935:12939 transaction 1801 out, still active
17:34:51 executing program 4:

17:34:51 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x100000000000000, 0x0})

[  484.375913][   T12] binder: unexpected work type, 4, not freed
17:34:51 executing program 1:
syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:51 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xf6ffffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  484.491865][T12965] binder_alloc: binder_alloc_mmap_handler: 12960 20001000-20004000 already mapped failed -16
17:34:51 executing program 4:

[  484.572007][T12964] binder: BINDER_SET_CONTEXT_MGR already set
[  484.596567][T12964] binder: 12960:12964 ioctl 40046207 0 returned -16
17:34:51 executing program 1:
syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:52 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x200000000000000, 0x0})

[  484.659917][   T12] binder: send failed reply for transaction 1811 to 12960:12964
17:34:52 executing program 4:

17:34:52 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfcfdffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:52 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$sock_SIOCGPGRP(0xffffffffffffffff, 0x8904, &(0x7f0000000000))
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000040)={<r1=>0x0}, &(0x7f00000000c0)=0xc)
getpriority(0x5, r1)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/ubi_ctrl\x00', 0x400000, 0x0)
r4 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000200)='/dev/mixer\x00', 0x7c1fa362c64a2ddd, 0x0)
syz_kvm_setup_cpu$x86(r3, r4, &(0x7f0000799000/0x18000)=nil, &(0x7f00000002c0)=[@text16={0x10, &(0x7f0000000240)="6766c7442400008000006766c7442402074857656766c744240600000000670f0114240f01ddd7b818008ed00f2353e3020f35baf80c66b81038e28f66efbafc0c66b81700000066ef36d1880d78baf80c66b86e38828266efbafc0cb062ee", 0x5f}], 0x1, 0x20, &(0x7f0000000300)=[@efer={0x2, 0x1000}], 0x1)
r5 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r6, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
r7 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/sys/net/ipv4/vs/sync_qlen_max\x00', 0x2, 0x0)
ioctl$UI_DEV_SETUP(r7, 0x405c5503, &(0x7f0000000140)={{0x526, 0x4, 0x8000, 0x8}, 'syz1\x00', 0x3b})
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  484.794548][T12988] binder_alloc: binder_alloc_mmap_handler: 12985 20001000-20004000 already mapped failed -16
[  484.834187][T12987] binder: BINDER_SET_CONTEXT_MGR already set
17:34:52 executing program 1:
syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  484.839806][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  484.840355][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  484.845996][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  484.851732][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:34:52 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfcfdffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:52 executing program 4:

[  484.938147][   T12] binder: send failed reply for transaction 1816 to 12985:12987
[  484.957622][T12987] binder: 12985:12987 ioctl 40046207 0 returned -16
17:34:52 executing program 1:
r0 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:52 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x300000000000000, 0x0})

17:34:52 executing program 4:

[  485.079816][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  485.085643][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  485.167493][T13013] binder: BINDER_SET_CONTEXT_MGR already set
[  485.197094][   T12] binder: release 13011:13013 transaction 1821 out, still active
[  485.207102][T13013] binder: 13011:13013 ioctl 40046207 0 returned -16
17:34:52 executing program 1:
r0 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:52 executing program 4:

17:34:52 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x400000000000000, 0x0})

[  485.226236][   T12] binder: unexpected work type, 4, not freed
[  485.250227][   T12] binder_send_failed_reply: 2 callbacks suppressed
[  485.250237][   T12] binder: send failed reply for transaction 1821, target dead
17:34:52 executing program 1:
r0 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  485.394577][T13025] binder: BINDER_SET_CONTEXT_MGR already set
[  485.413490][   T12] binder: release 13024:13025 transaction 1827 out, still active
[  485.422797][T13025] binder: 13024:13025 ioctl 40046207 0 returned -16
[  485.436858][   T12] binder: unexpected work type, 4, not freed
17:34:52 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:52 executing program 3:
r0 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x2, 0x0)
r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full\x00', 0x2, 0x0)
openat$mixer(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/mixer\x00', 0x0, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer2\x00', 0x100, 0x0)
r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000140)='/dev/hwrng\x00', 0x88400, 0x0)
ioctl$DRM_IOCTL_WAIT_VBLANK(r2, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(r0, 0xc004562f, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setregid(0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r1, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x399, 0x400, 0x0, 0x0)
write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f00000003c0)={0x0, 0x18, 0xfa00, {0x4, &(0x7f0000000380)={<r6=>0xffffffffffffffff}, 0x0, 0x8}}, 0x20)
write$RDMA_USER_CM_CMD_QUERY_ROUTE(r2, &(0x7f0000000400)={0x5, 0x10, 0xfa00, {&(0x7f0000000180), r6, 0x2}}, 0x18)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:52 executing program 4:

[  485.457252][   T12] binder_release_work: 7 callbacks suppressed
[  485.457257][   T12] binder: undelivered TRANSACTION_COMPLETE
[  485.479815][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  485.485646][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  485.548828][   T12] binder: send failed reply for transaction 1827, target dead
17:34:52 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:52 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x500000000000000, 0x0})

17:34:52 executing program 1:
r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:52 executing program 4:

17:34:53 executing program 4:

[  485.703723][T13045] binder: BINDER_SET_CONTEXT_MGR already set
17:34:53 executing program 1:
r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  485.746591][   T12] binder: release 13044:13045 transaction 1833 out, still active
[  485.755163][T13045] binder: 13044:13045 ioctl 40046207 0 returned -16
[  485.775121][   T12] binder: unexpected work type, 4, not freed
17:34:53 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x600000000000000, 0x0})

17:34:53 executing program 4:

[  485.801476][   T12] binder: undelivered TRANSACTION_COMPLETE
[  485.833205][   T12] binder: send failed reply for transaction 1833, target dead
17:34:53 executing program 1:
r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  485.955559][T13067] binder: BINDER_SET_CONTEXT_MGR already set
17:34:53 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffefffffff7f0000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:53 executing program 4:

17:34:53 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
r0 = open(&(0x7f00000001c0)='./file0\x00', 0x400c0, 0xc0)
setsockopt$RXRPC_UPGRADEABLE_SERVICE(r0, 0x110, 0x5, &(0x7f0000000200), 0x2)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='rdma.current\x00', 0x0, 0x0)
ioctl$TIOCGSID(0xffffffffffffff9c, 0x5429, &(0x7f0000000040)=<r2=>0x0)
getdents(r1, &(0x7f0000000140)=""/93, 0x5d)
setsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r1, 0x84, 0x12, &(0x7f0000000100)=0x8, 0x4)
ioctl$TIOCSPGRP(r1, 0x5410, &(0x7f00000000c0)=r2)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setregid(0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  485.996768][   T12] binder: release 13065:13067 transaction 1839 out, still active
[  486.006166][T13067] binder: 13065:13067 ioctl 40046207 0 returned -16
[  486.019612][   T12] binder: unexpected work type, 4, not freed
[  486.037267][   T12] binder: undelivered TRANSACTION_COMPLETE
[  486.081687][   T12] binder: send failed reply for transaction 1839, target dead
17:34:53 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffefffffff7f0000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:53 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x700000000000000, 0x0})

17:34:53 executing program 4:

17:34:53 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(0xffffffffffffffff, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:53 executing program 4:

17:34:53 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(0xffffffffffffffff, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  486.270589][T13090] binder: BINDER_SET_CONTEXT_MGR already set
[  486.285413][   T12] binder: release 13085:13090 transaction 1845 out, still active
[  486.294859][T13090] binder: 13085:13090 ioctl 40046207 0 returned -16
[  486.320275][   T12] binder: unexpected work type, 4, not freed
[  486.326285][   T12] binder: undelivered TRANSACTION_COMPLETE
[  486.326385][   T12] binder: send failed reply for transaction 1845, target dead
17:34:53 executing program 4:

17:34:53 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0xa00000000000000, 0x0})

17:34:53 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(0xffffffffffffffff, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  486.528510][T13107] binder: BINDER_SET_CONTEXT_MGR already set
17:34:53 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffffffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:53 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
r1 = syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0)
ioctl$BLKROGET(r1, 0x125e, &(0x7f0000000040))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:53 executing program 4:
openat$zero(0xffffffffffffff9c, 0x0, 0x0, 0x0)
getpeername$netlink(0xffffffffffffffff, 0x0, 0x0)
r0 = socket$netlink(0x10, 0x3, 0x0)
socket$inet_tcp(0x2, 0x1, 0x0)
syncfs(r0)
ioctl$sock_inet6_udp_SIOCINQ(0xffffffffffffffff, 0x541b, 0x0)
ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, 0x0)

[  486.589279][   T12] binder: send failed reply for transaction 1851 to 13104:13107
[  486.597787][T13107] binder: 13104:13107 ioctl 40046207 0 returned -16
[  486.611910][   T12] binder: undelivered TRANSACTION_COMPLETE
[  486.618647][   T12] binder_release_work: 16 callbacks suppressed
[  486.618653][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:54 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffffffff00000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:54 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, 0xffffffffffffffff)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:54 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x2000000000000000, 0x0})

17:34:54 executing program 4:
perf_event_open(&(0x7f000001d000)={0x8000000000001, 0x118, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = syz_open_procfs(0x0, &(0x7f0000000080)='auxv\x00')
sendmsg(0xffffffffffffffff, &(0x7f0000002fc8)={0x0, 0x0, &(0x7f0000000540)}, 0x0)
preadv(r0, &(0x7f00000017c0), 0x1fe, 0x400000000000)

17:34:54 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, 0xffffffffffffffff)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  486.858794][T13235] binder_alloc_mmap_handler: 6 callbacks suppressed
[  486.858812][T13235] binder_alloc: binder_alloc_mmap_handler: 13228 20001000-20004000 already mapped failed -16
[  486.886793][T13229] binder: BINDER_SET_CONTEXT_MGR already set
[  486.925930][T13229] binder: 13228:13229 ioctl 40046207 0 returned -16
17:34:54 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x3f00000000000000, 0x0})

[  486.981777][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  487.007800][   T12] binder: send failed reply for transaction 1856 to 13228:13229
17:34:54 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, 0xffffffffffffffff)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  487.044673][   T12] binder: undelivered TRANSACTION_COMPLETE
[  487.071117][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:54 executing program 4:
r0 = openat$null(0xffffffffffffff9c, &(0x7f0000000080)='/dev/null\x00', 0x0, 0x0)
perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x800000000000012, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_mreq(r1, 0x29, 0x1b, &(0x7f0000000080)={@remote}, 0x14)
setsockopt$inet6_mreq(r1, 0x29, 0x1b, &(0x7f0000000040)={@remote}, 0xffffffffffffffbd)
dup2(r0, r1)

[  487.102373][T13348] binder_alloc: binder_alloc_mmap_handler: 13345 20001000-20004000 already mapped failed -16
[  487.137773][T13346] binder: BINDER_SET_CONTEXT_MGR already set
17:34:54 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffffffffff600000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  487.170683][T13346] binder: 13345:13346 ioctl 40046207 0 returned -16
[  487.203885][   T12] binder: release 13345:13346 transaction 1862 out, still active
[  487.213515][T13348] binder_alloc_new_buf_locked: 9 callbacks suppressed
[  487.213524][T13348] binder_alloc: 13345: binder_alloc_buf, no vma
[  487.230815][   T12] binder: unexpected work type, 4, not freed
[  487.249589][T13348] binder_transaction: 10 callbacks suppressed
[  487.249608][T13348] binder: 13345:13348 transaction failed 29189/-3, size 24-8 line 3147
17:34:54 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0xffffffffff600000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:54 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x4)
r1 = syz_open_dev$dmmidi(&(0x7f0000000280)='/dev/dmmidi#\x00', 0xfffffffffffffffd, 0x4200)
r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000300)='TIPCv2\x00')
sendmsg$TIPC_NL_MON_PEER_GET(r1, &(0x7f00000004c0)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x80500004}, 0xc, &(0x7f0000000480)={&(0x7f0000000340)={0x114, r2, 0x11, 0x70bd25, 0x25dfdbff, {}, [@TIPC_NLA_NET={0x3c, 0x7, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x3}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x9}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x7255}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x400000000}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x100000000}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x84}]}, @TIPC_NLA_NODE={0x1c, 0x6, [@TIPC_NLA_NODE_ADDR={0x8}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x20}]}, @TIPC_NLA_LINK={0x7c, 0x4, [@TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9f}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x800}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x69dd}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7ff}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfffffffffffffffb}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}]}, @TIPC_NLA_LINK_PROP={0x14, 0x7, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x80000001}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x5}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}]}, @TIPC_NLA_SOCK={0x2c, 0x2, [@TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0xb5}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x1000}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x544}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x589d}]}]}, 0x114}, 0x1, 0x0, 0x0, 0x80}, 0x8001)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000000)=<r3=>0x0)
ptrace$setregset(0x4205, r3, 0x1, &(0x7f0000000040)={&(0x7f00000000c0)="a785a1650da3a064ce55ce4f197a2bdf803260ea60cf6b518d3019ddcd2f200a635fcb68aa962b24a7c4c3588b25412acd174474f04c5f9d417f8e26efd33537fea67ca8f1dd12a6f87d091a555f61e671a7de928bb431039eb25d19ee7a7284d389a1bac77a37d1f14f5e73632482760ff8a81cca9e8d8a0cbe43f5f490660c616fb48e2efba5abf81c0c609102a18face470dd933294e72853a1f8cdca1db3574032a9a389c5313930ab94bd4bd3b05eb331e6aaf30a12da296b451782ca978ad5abd3521ea02d4a5c9ebf85f5f99a80c49d023c122797aade8ead4eb88ffde93e77f58d256c78256ec0", 0xfffffffffffffefa})
r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
getsockopt$EBT_SO_GET_INFO(r1, 0x0, 0x80, &(0x7f0000000500)={'filter\x00'}, &(0x7f0000000580)=0x78)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
setregid(0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r6, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x2e4)
getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x7b, &(0x7f00000001c0)={<r7=>0x0, 0x3ff}, &(0x7f0000000200)=0x8)
setsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r6, 0x84, 0x22, &(0x7f0000000240)={0x2, 0x8000, 0x7, 0x2, r7}, 0x10)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:54 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  487.269211][   T12] binder: undelivered TRANSACTION_COMPLETE
[  487.307204][   T12] binder: send failed reply for transaction 1862, target dead
[  487.353596][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  487.368069][T13430] binder: 13426:13430 Acquire 1 refcount change on invalid ref 0 ret -22
17:34:54 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x4800000000000000, 0x0})

[  487.396593][T13430] binder: 13426:13430 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
[  487.439588][T13430] binder: 13426:13430 transaction failed 29189/-22, size 0-0 line 2994
[  487.477692][ T7796] binder: undelivered TRANSACTION_ERROR: 29189
17:34:54 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:54 executing program 4:
getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, 0x0, &(0x7f0000000140))
syz_open_procfs(0x0, 0x0)
truncate(0x0, 0x0)
ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, 0x0)
perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xee67, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getsockopt$bt_hci(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000100)=0x9)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0)
r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='mounts\x00')
preadv(r0, &(0x7f0000000480), 0x1000000000000237, 0x0)
ioctl$TIOCSETD(0xffffffffffffffff, 0x5423, 0x0)

[  487.498783][T13474] binder_alloc: binder_alloc_mmap_handler: 13471 20001000-20004000 already mapped failed -16
[  487.524442][T13472] binder: BINDER_SET_CONTEXT_MGR already set
[  487.540487][T13472] binder: 13471:13472 ioctl 40046207 0 returned -16
[  487.611744][   T12] binder: release 13471:13472 transaction 1869 out, still active
[  487.614299][T13479] binder_alloc: 13471: binder_alloc_buf, no vma
[  487.637312][   T12] binder: unexpected work type, 4, not freed
[  487.643369][T13479] binder: 13478:13479 transaction failed 29189/-3, size 0-0 line 3147
[  487.652168][T13474] binder_alloc: 13471: binder_alloc_buf, no vma
17:34:54 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  487.658588][T13474] binder: 13471:13474 transaction failed 29189/-3, size 24-8 line 3147
17:34:55 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
clone(0x200000, &(0x7f0000000200)="6d7a6eabf951cc3cc2152804dd68aa707bcfdecf8ca7d4518de1b01a7292fe0ea5a30277ef708eb9d1574e49118c7a6dade5bfa2e32aec63cf066533988dba53895a775617d6a1ab5d9556166310dfcf523862b7d3bc6e9770f690a74f3419971498b461fa48af6f6dbf4682b620b7de3df3d9ef47d1dce67d3ea172c84785d900afe60c9b5d932536380608906d1fe6610eb66fe4e2c963addebe7e981a2ff7867cb9d70701ef79f075a9005ac22b68b24b4f92453a7a61d9d7b29ee61bdc47bac19856f9a3f99c94b0f7aa6abdea6b0cebf454f3bddfd69196e6d2cffc5ad3a58a366168ebd6b313aa7e3de2b234448b90e797b2a7dd66e7", &(0x7f0000000040), &(0x7f00000000c0), &(0x7f0000000300)="002ce6a2dfe2a36b96ebeeea901b29159cf8cab2d27f9fb365462eb08dca1a77a4e43ff2f416a1aa8a097538d2d49716da91f8b36d83de15d1178b4434ae3b99ce9c0d7ceff07edcda2de7fdcff730bec587754010ae09f4fba7b216e5be6710c2736a25fca6b9019dd46e1a38aa2169daada88e3efda5d23657eed6d4809ecfbff3d5bdd02aa36c07fd8866897a212c7ff6d101dc14fd309a838e3c5ada6b60dc85142f25b087f9cea5d68b7b86aab77368d23c547c33f01830e45d2bdbec4df79376502357624d823a44e8083e540e729a1804e1397a8b9391fdd4c4f60d")
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
socketpair(0x0, 0x6, 0xef93, &(0x7f0000000000))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:55 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x4c00000000000000, 0x0})

[  487.711864][   T12] binder: undelivered TRANSACTION_COMPLETE
[  487.739988][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  487.743914][T13510] binder_alloc: 13471: binder_alloc_buf, no vma
[  487.769975][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  487.779968][T13510] binder: 13496:13510 transaction failed 29189/-3, size 0-0 line 3147
[  487.795169][   T12] binder: send failed reply for transaction 1869, target dead
[  487.820034][T13591] binder_alloc: binder_alloc_mmap_handler: 13560 20001000-20004000 already mapped failed -16
[  487.847409][ T7796] binder: undelivered TRANSACTION_ERROR: 29189
17:34:55 executing program 4:
syz_emit_ethernet(0x1, &(0x7f0000001080)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa0086dd6001177700940000cd6718736583632052a7fa833682affd00000000000000000000ffffffffffff000900000000000003000740000000080e0080000800000000000000060000000000000005000000000000000400000000000000983000000000000000000000000000000080000000000000050200000420880b0000000000000800000086dd080088be00000000100000000100000000724d0e37ae3e0d272efe38000000080022eb0000000020000000020000000000000000"], 0x0)

17:34:55 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x80000, 0x0)
ioctl$PERF_EVENT_IOC_QUERY_BPF(r0, 0xc008240a, &(0x7f0000000040)=ANY=[@ANYBLOB="02000000000000000000000100000000"])
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x420400, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
set_thread_area(&(0x7f00000000c0)={0x20, 0x100000, 0x4000, 0x6, 0x7, 0x1000, 0xf4f4, 0x7, 0x9, 0x10001})
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  487.877540][T13578] binder: BINDER_SET_CONTEXT_MGR already set
[  487.887734][T13578] binder: 13560:13578 ioctl 40046207 0 returned -16
[  487.899920][T13597] binder_alloc: 13560: binder_alloc_buf, no vma
17:34:55 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, 0x0)
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  487.946526][T13597] binder: 13560:13597 transaction failed 29189/-3, size 24-8 line 3147
[  487.955552][   T12] binder: send failed reply for transaction 1879 to 13560:13578
17:34:55 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
r3 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x80, 0x0)
write$FUSE_GETXATTR(r3, &(0x7f0000000040)={0x18, 0x0, 0x7, {0x6}}, 0x18)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
socket$inet(0x2, 0x800, 0xffffffffffffffc1)

17:34:55 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  488.005054][   T12] binder: undelivered TRANSACTION_COMPLETE
[  488.011260][T13608] binder: 13607:13608 Acquire 1 refcount change on invalid ref 0 ret -22
[  488.034758][T13608] binder: 13607:13608 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
[  488.055002][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  488.070169][T13608] binder: 13607:13608 transaction failed 29189/-22, size 0-0 line 2994
17:34:55 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r1 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x2, 0x200000)
ioctl$NBD_SET_SIZE(r1, 0xab02, 0x9)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
dup2(r1, r0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:55 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x6000000000000000, 0x0})

[  488.099196][T13614] binder: 13613:13614 Acquire 1 refcount change on invalid ref 0 ret -22
[  488.104394][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  488.188005][T13614] binder: 13613:13614 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
[  488.191199][T13623] binder_alloc: binder_alloc_mmap_handler: 13618 20001000-20004000 already mapped failed -16
[  488.226556][T13614] binder_alloc: 13618: binder_alloc_buf, no vma
17:34:55 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, 0x0)
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  488.237187][T13614] binder: 13613:13614 transaction failed 29189/-3, size 0-0 line 3147
17:34:55 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x20800, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(r2, 0x5380)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  488.282153][T13621] binder: BINDER_SET_CONTEXT_MGR already set
[  488.312868][T13621] binder: 13618:13621 ioctl 40046207 0 returned -16
[  488.320767][T13629] binder_alloc: 13618: binder_alloc_buf, no vma
17:34:55 executing program 4:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
r1 = syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0)
ioctl$BLKROGET(r1, 0x125e, &(0x7f0000000040))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  488.345362][T13629] binder: 13628:13629 transaction failed 29189/-3, size 0-0 line 3147
[  488.355672][T13630] binder_alloc: 13618: binder_alloc_buf, no vma
[  488.366790][T13630] binder: 13618:13630 transaction failed 29189/-3, size 24-8 line 3147
17:34:55 executing program 3:
r0 = accept4$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x0, @initdev}, &(0x7f0000000080)=0x10, 0x80000)
getsockopt$inet_sctp_SCTP_ASSOCINFO(0xffffffffffffffff, 0x84, 0x1, &(0x7f00000000c0)={<r1=>0x0, 0x9bb, 0xfb40658, 0x2, 0x10001, 0x3}, &(0x7f0000000100)=0x14)
setsockopt$inet_sctp_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f0000000140)={r1, 0x672f, 0x9, 0x1}, 0x10)
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r2 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setregid(0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
openat$audio(0xffffffffffffff9c, &(0x7f0000000180)='/dev/audio\x00', 0x101200, 0x0)
getsockopt$inet_IP_IPSEC_POLICY(r2, 0x0, 0x10, &(0x7f00000001c0)={{{@in=@initdev, @in=@multicast1}}, {{@in6=@remote}, 0x0, @in=@remote}}, &(0x7f00000002c0)=0xe8)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  488.442671][   T12] binder: send failed reply for transaction 1886 to 13618:13621
17:34:55 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, 0x0)
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:55 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
r0 = syz_open_dev$cec(&(0x7f0000000040)='/dev/cec#\x00', 0x1, 0x2)
getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f00000000c0)={<r1=>0x0, 0x7}, &(0x7f0000000100)=0x8)
getsockopt$inet_sctp6_SCTP_MAXSEG(r0, 0x84, 0xd, &(0x7f0000000140)=@assoc_id=r1, &(0x7f0000000200)=0x4)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
r2 = perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(r0, 0xc004562f, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
ioctl$FS_IOC_GETVERSION(r2, 0x80087601, &(0x7f0000000000))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setregid(0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
ioctl$KVM_X86_GET_MCE_CAP_SUPPORTED(r3, 0x8008ae9d, &(0x7f0000000000))

17:34:55 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x6800000000000000, 0x0})

[  488.512145][   T12] binder: undelivered TRANSACTION_COMPLETE
[  488.631758][T13654] binder: 13646:13654 Acquire 1 refcount change on invalid ref 0 ret -22
[  488.668180][T13654] binder: 13646:13654 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
[  488.675196][T13671] binder_alloc: binder_alloc_mmap_handler: 13647 20001000-20004000 already mapped failed -16
[  488.713568][T13654] binder_alloc: 13647: binder_alloc_buf, no vma
[  488.731810][T13652] binder: BINDER_SET_CONTEXT_MGR already set
[  488.740503][T13652] binder: 13647:13652 ioctl 40046207 0 returned -16
[  488.761464][T13720] binder_alloc: 13647: binder_alloc_buf, no vma
17:34:56 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140))
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:56 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = syz_open_dev$vcsn(&(0x7f0000000500)='/dev/vcs#\x00', 0x9, 0x501202)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffffff, 0x84, 0x70, &(0x7f0000000540)={<r1=>0x0, @in6={{0xa, 0x4e23, 0x8001, @initdev={0xfe, 0x88, [], 0x1, 0x0}, 0x2}}, [0x400, 0x2, 0xffffffffffff0a9f, 0x9, 0x4, 0x81, 0x100000001, 0x9, 0xfffffffffffffd14, 0x5, 0xa8d8, 0x0, 0x1ff, 0x0, 0x800]}, &(0x7f0000000640)=0x100)
setsockopt$inet_sctp_SCTP_AUTH_KEY(r0, 0x84, 0x17, &(0x7f0000000680)=ANY=[@ANYRES32=r1, @ANYBLOB="0000b900dd7f28f04273b867d9c8595593a94531ee55dd40d8fc6bcdb3084d58d4ab0738e4ae08af0786f875f0f7c02d7b34ea68225ba183200ee46cd92af1336e9e05f884f69f92c6f674991b3917760d9544ec1e632730f16593060f13ceed14613f78a73482e5d4648bbd641d5f6e4aa5353b5d59c03037609634d897c86487f3cdc116b17033be2fe4433f4b174de2ea5c7fdbb54ae9c886de8f2fbdb7d4d3e5cae0cc63f54961f661e8e6458e0ffea2b9ceacbe9a54ba1ea0fa0b"], 0xc1)
pipe2(0x0, 0x0)
ioctl$TIOCGSID(0xffffffffffffff9c, 0x5429, &(0x7f0000000000)=<r2=>0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, r2, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setregid(0x0, 0x0)
r5 = syz_open_dev$amidi(&(0x7f0000000140)='/dev/amidi#\x00', 0x0, 0x20840)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_INFO(r5, 0xc08c5334, &(0x7f0000000200)={0x3, 0xd34, 0x3749, 'queue1\x00', 0x4})
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
pipe2(&(0x7f0000000040)={<r6=>0xffffffffffffffff}, 0x80000)
getsockopt$inet_sctp_SCTP_MAX_BURST(r6, 0x84, 0x14, &(0x7f00000000c0)=@assoc_value, &(0x7f0000000100)=0x8)
r7 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r7, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:56 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x6c00000000000000, 0x0})

[  488.810625][ T7796] binder: send failed reply for transaction 1895 to 13647:13652
17:34:56 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000000)={&(0x7f0000a76000/0x3000)=nil, &(0x7f0000ffc000/0x2000)=nil, &(0x7f0000e4d000/0x4000)=nil, &(0x7f0000f13000/0x4000)=nil, &(0x7f000037b000/0x8000)=nil, &(0x7f00006f7000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000795000/0x2000)=nil, &(0x7f0000e76000/0x4000)=nil, &(0x7f0000fff000/0x1000)=nil, &(0x7f0000ffd000/0x2000)=nil, &(0x7f00000000c0)="17543d7458543585688ffe1ff10c38e8157ee7df5b61646b3a3a3866fd0fa1ed970e025eeb738d9a34aa49dca8e3d3118e95ceb5ccfeb00071dc9932f8b0746b4c016c682be2e5b2b49834a2b97862863f76a80738e8d3efd33730d16129eddaf21e15dd99311fff23d12eb0ea70c5a51dae4120eeee78ff64d645e5bf52a17b2901d84f0e0adc3322894d8e2876e6157606e6399cfa3aa417fa6460de2ee48acd9c9d1f902dc3fd754f1ab80904858d7877e41d00143268d1dc8759365c4d791421f73e0587367d7899f1414bf475f9ed2559cf3c05455549a8d04cc65f5a0c6f64ef74b85e06a275b6c7f6f1a2bf814c3fe94507a1f39971f13cf3404b08dc0831d3b4622ed67707f7a60f2d10f1e4b0318624d48b5302a903f24d9e420477c88d60030757d1bac14026671a78dce89d038071857cd0e4868c2621064331be208df6dd3e91bf0000981ace12a07d0113ef57dcad5be0326cb99913046cad2b759f9a5e6ed941632253d2b7a08fa1e70b6bf8ba3938e185a8d4854140dedd0c0a4134879b4598784b29ce065e0eb07c7becaf1a02f533e60c361a32e187d06fda08ecd4f0be715ac52926be6f5247b7845b5660cfdb314825f6b5d2c679f85434172c34f745b7b27aeb31ecfd44f634f7d99b7a082d604e990aa441483e635a22a8d1897f7e56e610f8c71745019148f9bad483f7a5d5bb9dac2582802a9a2342dc56fab7e24e7556a9de9c5c78add6e926ee108211cef3172b8ea4958a68d787f69bfa30851d14424c7c7a805af26b9d900a048993ef57665acb2f975957eb2eee04bd9bb3611c237f854640d68e1fcdcfd692e8976a5fe61702a9307f9c94565064b031e2e049c16ad98b203d54c3a95c7ff6bfd2457b9d5abad0c6417c38f50dc9e32ec6d3162ff2b02d2514f06ba1d8f700854b450a55e45bc7b7d27afc7de855dafce8a8e77f41d8d3aa430d0fe5830f24bdc4ae4491f6fa88e75c2c3ad59938ef91efda551a54a6a0438b1e160276371a236f441b88c0d1f03e9ebf2035cf29aa84e56082d7e799cdb82e54da6008e16d83ba226ee17559a6462a8c5ee596da64b0baa24a0ab8642e8605b7139b27fa560fe94a1f52dd0314f9a9f1c1f8e164f498b88e478c096dda990a8456fce1c6d8ff76db66bc139842d9db6762d08c05c3629036650d2d50bcd156dba42b17330b5e8e4dd30e5f73c59249b29650a18438c1bf0e71578c272fb921634dc6dc75383b84e48a4cb3b877cd24b41d50095f874d918d06bcc4c2d549a32a1a3c767f4e60feab59a35513b67156d310f897b63591454c46a270b26d6734d48eecd5c50236dd1a14a01955dd3f576e83ae80e17dfefe28d09764ad9a17894438a5cd537228737483299f95e77f2097295736fed260bbe88f4456c72fffee1b3b0ce5ea2ca0b8cc6db8f21a7a55889e2ee24dddd22cf514e8970734c8f88de110ba3bf7aa3fe202c841c08b2ba77f5aec2ac75bf19bc79bc50a83ca0058efdde89b945b6d21f8062852314bb619fd65a6fecd6a4556555dec5f842bdd446a23601ca410fd68384bd41132afd0e76c7a1e808112eaeeac04a47cecfccf3e3f209cbd3fb106498fb2259de630bdba22f9eb4362d6a5be589827d7c82d38d2bf8f52ae5b0ee91a3ce8f36088f3592ea08f590940331a02c21bced9289c538dff76a0e0cf2a9fcdfca5325ea519e3ed03c92adf5185f7e51726dc7f7aa4751a941b18df2e76a150437ac52b523473dc94c23a466eb18139fb8aa475d9cdbafb708c39014e37831ea6c63e74a01d7e027aeb992362c0e614489f4baf91c5c4be629783b1f2719a97da39a5de918f1c2524c8b6a9f22a89991a381d1ce861ceb6c6955d6262e27e61dfe32385dc74089e171013b8c43ee052827bde0febff03e46dd7c5afe03bedff79c43e61b82a7107d0c908f7f708c1b80b83568c766136d69f7f15457bd822d338cc56827f00f5782f01187d21344abfd8d63f2f0bc1cac83e78f5cc093bd61b99bf553a6f0b0714392160deb41e707a50a1f621b145c5b00a45ba713c4c92a94f95292e4cee2f9d4096c7416407eb5edb6dfcbe85d4d205505090075489c07bcaa1738f37f17199cfb16b223fb5c332de49378aed277d1706affeb0c5bd1280e4542efa88903e11cf8085d0b884c9c96aec69ae270e84b2d708d86ee964f6c42f5d4065046e041c2de64604936f7099bfaad10a8c2ba7a56a5c6d84fd6552fc0e9d61bcb2d0e1ef4eefed946034433a4a6f287a4c0b74f7b9521df8a2f0de981ef034d12966548b829cba128cb367e213625b46968122ffe8e18343eea148a3bbd3c41718a109b6308baadda16d73ea6ffed7d94c8058e556189cacd98f5642c60029717ac1dac72de477c3364f922c78851ed9654d4f71379a3e04eeb186a9c624b329d0812c312a28c63c83263a3fadf411152a1b2d6ebddc5306f36b517b11010be3ef438ef5fe3c94f2defa471914f1783bbd70c431292160c63029cfff1bd2aac07e46561ea65fb83ee4dfbfd49bb32d5696dc1e3d876f6054fb5751c56e9c4a0ec80afb887c02e729f4e04a0dea0bddba097989983746c6757a34c0b31384d5233e00083b67a4a2dc367f9f4e87b2133b8a6ccc517b87f13ccbe452e90188e3c898cb0eeee252767fb8890527386a9fc696ee24b723064eac84264a411cb941ecd5b2a747c79f8b766e773b63dbd8f0ad79e758cf4c8dee0cc01fce53cd9383b34e541e6ff569d161eab9e1d8bea51014707da5489ef39458fe244e0bf0b7e7d703d655203b4091350db069912c1db1298a0758cbb1406e4114a6fa730b0376911520935c70d55a753a3d2a2a51503016a4b90bcc6df4089d2db415e1d8692be846c484fe52890014e4a1a320a111f35b0543f7606361d0f48b76890f69c5e27945c67a5ed44eb1c55ce6b52d336b5bd0e29b104cd90c093cb3b45c14ae5d9b15ac7a13584aa368052a3d669efd4b0fc24abc170fea65556899480084a2b5ac9cccc87d9bd20058a9c095aebdd56a360ad61d7ee6f7bbc15fe4ae4d358578cfa3349a0b529d6a0ae11cf4bf09ecedc4cd187c5811a4352488dcc17449013d95a27d5bd6a6bf39214f40035a19c2f50dd0bfc24bd8c213617451c95200c8f376397ac40928e45905200b6607626e4bfd7d5826d63d01bf8480d656532465f134caca94be88575b1d0fae88906971e3ddc2116d05ea750c8234049180f02a7bc2aad77f8038b1e5b73fecc0e18e66f64390359636bc99908eefc66b4a6945543ac4dd32752189299d541bc6b637037bda0d947235373b2755a530ad61c62e3e4f4a1370900e886dfee836fbcd70062799598571ab3c7aab69992efa3d8271a70b8d09a0dabe6ea3a43948581d9c37d00c4379ea06050b33545300125a1d5a2078ff15d2a5fae8dfe4b5402ebb38416233d91dbd33439963df8415dca8d38ec11102ce20b8bfb547115a087b0ffcfb14781f0f49ac512db076ed3493ec5ba1a5bda59cceb02e2b389319fd57f08a6b67b90c289f7b2d2f33058a4655a7231caf38d230ff6d9ddd8c36f3f812b92ffc569eaeb122630a164567dd2f7ddb5dfdf5972b1630ddfb53476d6dede5693f963a8f32287dc71f2b453db5643bcbd2454ecd46678ab772fc2bc69b9f2ffd7786f77ec5cc35fe2661f76bb1fb1639c23a790cef2d28cfa50d959c8fe25bd7b3175f54f3041f3dfe03910a2c9d4cdca5da3110e01e0a70fec67abf4e3ad21bdf93640310d100013e1f3f9830b0d16886611a49520af348db53bcf8b03ab63f8e88b5f05b9a251e7e06f21b986a9c436a95dd77e05331167ee601690ac27c7ba51e9d845bbfe62fa3250aafaaa309ffb2b1a8b145e88de47f5285593782e251c2c6d8b094c21ab4a8e9ed9877c84b8d75023a0beea733f119983914217e065e9311e07d514f881011d2021512b46c5bbb6c91f81c0987c923443795a8e18a969e530ac556ed62089f0eb4bbbf363fe632320c7409f732a6ac783165481b6b9e3a1d43cc266d3dc8b83280ab9cf2f3546368bbc149598abe55817f06193a8c80aaa5183b1d5d321245b28fc9a020634c022ed90a2c738457eee3bad1f7ec7eda439c1dc2457755c7098f546985ba843c6134ce28e04346228a67bd94b3f666086b023c27dec53f2a8302a961285e9b7c6ecdd80004cb2a34a7eb05db5193370c4a922f36fd51ff6e9029509a980400feec4d292b8efc9aa49e46ca43f703c0a53782beec2a2fef92f0b2a7d95949ddffabe23fd7c56668149c87cea2d8a68383ced8361329abdb778b7c78be29fe26d9ec5522e34b720848c658e35c1e8ec46957d0e5b10866b6d9f6d3ba25c93ccde6384411b061259e9134d7a1ceb91727c9519aeb199ca87260d5df7ebbac9dc38ebbe95616fd26dadba6456873a3aeab2251b90769726bbd95d49be95d369716ea7d9f3d43524d3b2e668c20fcb7868aa2e23cbe0c32a93ba4833420703533b85020926a642ad02ec7c33455f008b5b8fbc258b293f416416c8481d26f90ca302843e40e2c540794e438199e394483364f94cd22cc042308283738f632789d6fdde77ba20f5507c1fe340ae99fd46a20df9251503afc8ffdd8c4dedefbf4c86b470751cc10f61e77cae6acaa58130f896b8860d29a71ea85e71b8fa2660c75eaee19ab4f17675ac2595e8ce58281a67accf78ada7ea231a2ab6ed0088e00278e771a00812a99954b352b7c2cf1a7ab8d8fac10f4a5737cd9467a2170199604a49ccc8ca6d9c0d09a8bf80ff4a03ab2fc57a09b67a8668637ecada85b7b28100a678fe2b22373fa35e0da0c30913ec02eb43d88659431b556da3c1b48df33f76cbdd4eeb1c7036550e71cb599688ba0d2f26e645e91d16898e7f944dff2e2fb091b647e1afbec7fd497ee0388eca91c4adace5c202c89871ada96c7e23f5aa7cf387e6ed74e3f887bf70bf10aee1ff678b37a043ee886aacecb8d88746f5959a681136079317d42b28740817392f15ad1d74a4378aad53548fbcc8f0ed3b6af8cf7386060d7659b1e2cd3216af3f94482348148e24c6867c85283ae277e8781a5671921b5687b3cd641f23914ff92c1cdc5f9d9ecac5a89273be7d255863b84aa3871ebe8ba0cdb9176cd49c448c01a88737403a0cf859c48250871cd1e9f618be8adc27fb21a6ecffd4591057909ed7961377594ba8a2ad32cb39431face0ca667f94e38c7b9d0468ab2dee902f75ac1be57c0074e7076c525c79b7146064f2f8ddcc57a5bb7ac433f2c62b883a18e1e5ad46ce88d67aa14a832d860be84bf06c77a0b9f737ac4b58067b7c49ac5e449b2753c7b0af87a2dff2b2c613f22d8479945e46869b8b47292ffe3797c24125569dac5f36e47bfaf360913f0035c228315bc586fcdb16a1a80146bc85357edfe21c55a2c65fa6ec45565ca53e391692269b0235837542a66fc5d6d4efce9a76137b96a5cb1f878159a1fd13408c8fe09d517c6eae3cad2530ee7922b6996c4ef3399448559a491c2ac0570afd1bdaa09a21ec41a082948f5a6b2eef34fc41a2e8373874122e4bc1a3dcd4d2005a197649461b9a02d4fd55fffa8e086d8a55b9b5278eef4ab439217c0ac22f880079cf78e4bfd9ac81e0b02bd34bb3babf802a6cf29436de0e2ee98f1e787dde194abf5ae3d878f5c879c8aeeb5636a9f7eb374434fe09fd128d19ff19baf96f79132a11ea027047e6f48624ab4c595ede0f4cbb6fda4763ad1519b6cd6dfd55b782e2db9e8f4c0e0ed1c569e3991009a", 0x1000, r0}, 0x68)
r2 = syz_open_dev$sndpcmc(&(0x7f00000010c0)='/dev/snd/pcmC#D#c\x00', 0x10001, 0x200)
ioctl$SNDRV_CTL_IOCTL_PCM_INFO(r2, 0xc1205531, &(0x7f0000001100)={0x6e, 0x1f, 0x7056, 0x3, [], [], [], 0x0, 0x2, 0x8, 0xd33, "cd7063a91640de8aeb01108370f29a79"})
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
syz_open_dev$swradio(&(0x7f0000001240)='/dev/swradio#\x00', 0x0, 0x2)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  488.947015][T13762] binder: 13761:13762 Acquire 1 refcount change on invalid ref 0 ret -22
[  488.960549][T13762] binder: 13761:13762 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
17:34:56 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x10001000008912, &(0x7f0000000140)="a0c09e7d89683b12041319613dc8d274e061b15fb4000000000000000000000000000000000000000000")
r1 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vfio/vfio\x00', 0x80, 0x0)
ioctl$CAPI_REGISTER(r1, 0x400c4301, &(0x7f00000000c0)={0x1, 0xf08, 0x853})
openat$cuse(0xffffffffffffff9c, &(0x7f0000000100)='/dev/cuse\x00', 0x2, 0x0)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000180)={0xfffffffffffff800, 0xa882eec, 0x8203, 0x6, 0x7b, 0x7, 0x81, 0x1f00000000000000, <r3=>0x0}, &(0x7f00000001c0)=0x20)
getsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX3(r1, 0x84, 0x6f, &(0x7f0000000240)={r3, 0x10, &(0x7f0000000200)=[@in={0x2, 0x4e24, @loopback}]}, &(0x7f0000000280)=0x10)
poll(&(0x7f0000000000)=[{r2}], 0x1, 0x100000001)

[  489.006550][T13769] binder_alloc: binder_alloc_mmap_handler: 13763 20001000-20004000 already mapped failed -16
[  489.037369][T13768] binder: BINDER_SET_CONTEXT_MGR already set
17:34:56 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140))
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:56 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = msgget(0x0, 0x88)
getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffff9c, 0x29, 0x22, &(0x7f0000000200)={{{@in6=@local, @in=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0}}, {{@in=@remote}, 0x0, @in=@remote}}, &(0x7f0000000000)=0xe8)
r4 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x80)
setsockopt$bt_BT_SECURITY(r4, 0x112, 0x4, &(0x7f0000000580)={0x80, 0x5}, 0x2)
fstat(r1, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, <r5=>0x0})
r6 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/dlm_plock\x00', 0x541000, 0x0)
setsockopt$inet_mreq(r6, 0x0, 0x23, &(0x7f0000000500)={@rand_addr=0x3, @dev={0xac, 0x14, 0x14, 0xf}}, 0x8)
r7 = getuid()
getresgid(&(0x7f0000000040), &(0x7f0000000540)=<r8=>0x0, &(0x7f0000000300))
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000340)={<r9=>0x0}, &(0x7f0000000380)=0xc)
getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f00000003c0)={<r10=>0x0}, &(0x7f0000000400)=0xc)
msgctl$IPC_SET(r2, 0x1, &(0x7f0000000440)={{0x5, r3, r5, r7, r8, 0x21, 0x80000001}, 0x7, 0x4, 0x6, 0xfffffffffffff91c, 0x100000, 0x100000000, r9, r10})
r11 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r11, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
setxattr$trusted_overlay_opaque(&(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)='trusted.overlay.opaque\x00', &(0x7f0000000640)='y\x00', 0x2, 0x2)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  489.080442][T13768] binder: 13763:13768 ioctl 40046207 0 returned -16
[  489.130084][   T12] binder: release 13763:13768 transaction 1903 out, still active
[  489.138060][   T12] binder: unexpected work type, 4, not freed
17:34:56 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
fcntl$dupfd(r0, 0x406, r0)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x4001, 0x0)
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(r1, 0xc058534f, &(0x7f0000000080)={{0x4, 0x8}, 0x0, 0xffff, 0x1, {0x3, 0x5ff}, 0x10001, 0x1})
getsockopt$inet_mreqn(r0, 0x0, 0x20, &(0x7f0000000200)={@local, @remote, <r2=>0x0}, &(0x7f0000000240)=0xc)
connect$packet(r1, &(0x7f0000000280)={0x11, 0x4, r2, 0x1, 0xd037}, 0x14)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
syslog(0x0, &(0x7f00000002c0)=""/241, 0xf1)
fstatfs(r1, &(0x7f0000000100)=""/207)
ioctl$RTC_AIE_OFF(r3, 0x80247009)

17:34:56 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x7400000000000000, 0x0})

[  489.207975][   T12] binder: send failed reply for transaction 1903, target dead
[  489.239910][    C1] net_ratelimit: 20 callbacks suppressed
[  489.239924][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  489.251619][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:56 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140))
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  489.299557][T13791] binder_alloc: binder_alloc_mmap_handler: 13787 20001000-20004000 already mapped failed -16
17:34:56 executing program 4:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000019)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:56 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000580)='/dev/sequencer2\x00', 0x4000, 0x0)
setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f00000005c0)={0x2, {{0x2, 0x4e20, @empty}}, 0x1, 0x4, [{{0x2, 0x4e22, @empty}}, {{0x2, 0x4e21, @multicast1}}, {{0x2, 0x4e22, @dev={0xac, 0x14, 0x14, 0x1e}}}, {{0x2, 0x4e23, @remote}}]}, 0x290)
r2 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
getsockopt$bt_BT_FLUSHABLE(r1, 0x112, 0x8, &(0x7f0000000000)=0x20, &(0x7f0000000040)=0x4)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:56 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  489.405635][T13790] binder: BINDER_SET_CONTEXT_MGR already set
[  489.445257][T13790] binder: 13787:13790 ioctl 40046207 0 returned -16
17:34:56 executing program 3:
io_setup(0xffffffff00000001, &(0x7f0000000000)=<r0=>0x0)
r1 = epoll_create(0x0)
r2 = syz_open_dev$radio(&(0x7f0000000040)='/dev/radio#\x00', 0x3, 0x2)
io_submit(r0, 0x1, &(0x7f00000001c0)=[&(0x7f0000000180)={0x0, 0x0, 0x0, 0x3, 0x3, r1, &(0x7f00000000c0)="f6884eb1ecde82ec00e7ce0e0d2c23d1411a865ac83e83e65d38ab251a6e9288a758a16e5c51d085b18e5153f1f8dea87574f5346d29e5250b9b3c1082a77b77002de61490c8ce8f6276e997890225d081278a02c588779a50855a256e775d105000be094cac680c91710744d99cb90ba6a1e51b7591fca8afdb4b21a26281d658c49454b5f5d7fe4d01baaaf9033a8ba1e399a4e00a690d96c148e7ae91ac885d222a3394e28c66", 0xa8, 0x4, 0x0, 0x1, r2}])
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setregid(0x0, 0x0)
setsockopt$inet_msfilter(r2, 0x0, 0x29, &(0x7f0000000200)={@broadcast, @dev={0xac, 0x14, 0x14, 0x2b}, 0x0, 0x9, [@remote, @loopback, @loopback, @multicast2, @empty, @empty, @local, @empty, @remote]}, 0x34)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x3000, 0x0, &(0x7f0000c16000/0x3000)=nil)
ioctl$KVM_GET_CPUID2(r2, 0xc008ae91, &(0x7f0000000240)={0x4, 0x0, [{}, {}, {}, {}]})

[  489.474723][   T12] binder: release 13787:13790 transaction 1912 out, still active
[  489.504006][   T12] binder: unexpected work type, 4, not freed
17:34:56 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
r0 = accept4$inet6(0xffffffffffffff9c, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast1}, &(0x7f0000000040)=0x1c, 0x80800)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0xe, 0x10, r0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  489.556908][   T12] binder: send failed reply for transaction 1912, target dead
17:34:56 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x7a00000000000000, 0x0})

17:34:56 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  489.639797][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  489.645670][    C1] protocol 88fb is buggy, dev hsr_slave_1
17:34:57 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000000))
ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000040)=<r0=>0x0)
getpriority(0x3, r0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  489.689468][T13852] binder_alloc: binder_alloc_mmap_handler: 13826 20001000-20004000 already mapped failed -16
[  489.751949][T13840] binder: BINDER_SET_CONTEXT_MGR already set
[  489.799828][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  489.805750][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  489.813050][T13840] binder: 13826:13840 ioctl 40046207 0 returned -16
17:34:57 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  489.870362][   T12] binder: send failed reply for transaction 1922 to 13826:13840
17:34:57 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0xfdfdffff00000000, 0x0})

[  489.924347][T13929] binder: 13928:13929 Acquire 1 refcount change on invalid ref 0 ret -22
17:34:57 executing program 4:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000007)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  489.974185][T13934] binder_alloc: binder_alloc_mmap_handler: 13932 20001000-20004000 already mapped failed -16
[  489.988709][T13929] binder: 13928:13929 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
17:34:57 executing program 2:
r0 = openat$vsock(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vsock\x00', 0x8040, 0x0)
r1 = syz_open_dev$vcsa(&(0x7f0000000100)='/dev/vcsa#\x00', 0x8, 0x1)
ioctl$DRM_IOCTL_WAIT_VBLANK(r1, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
write$P9_RWALK(r0, &(0x7f0000000140)={0x16, 0x6f, 0x1, {0x1, [{0x9, 0x1, 0x6}]}}, 0x16)
r2 = perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000002c0))
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setsockopt$inet_MCAST_JOIN_GROUP(r1, 0x0, 0x2a, &(0x7f0000000200)={0x3f, {{0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}}}, 0x88)
ioctl$int_in(r2, 0x5452, &(0x7f0000000000)=0x92c)
setregid(0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
fcntl$setstatus(r4, 0x4, 0x4800)
ioctl$KVM_SET_IDENTITY_MAP_ADDR(r4, 0x4008ae48, &(0x7f0000000040)=0x5006)

[  490.026394][T13933] binder: BINDER_SET_CONTEXT_MGR already set
17:34:57 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x400000, 0x0)
connect$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x6, @empty, 0x8}, 0x1c)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  490.121292][T13933] binder: 13932:13933 ioctl 40046207 0 returned -16
17:34:57 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:57 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
munlockall()
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x0, 0x0})

[  490.174879][   T12] binder: send failed reply for transaction 1930 to 13932:13933
17:34:57 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
r0 = perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0x3)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  490.279867][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  490.286221][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  490.317776][T14004] binder: BINDER_SET_CONTEXT_MGR already set
17:34:57 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

[  490.345403][T14004] binder: 13982:14004 ioctl 40046207 0 returned -16
[  490.379498][   T12] binder: release 13982:14004 transaction 1937 out, still active
17:34:57 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x2400, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x8000, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
setsockopt$sock_attach_bpf(r2, 0x1, 0x32, &(0x7f0000000080)=r3, 0x4)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x0, 0x0})

[  490.397864][   T12] binder: unexpected work type, 4, not freed
[  490.430275][   T12] binder: send failed reply for transaction 1937, target dead
17:34:57 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000680)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000634040"], 0x0, 0x0, 0x0})

17:34:57 executing program 4:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000007)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  490.552011][T14067] binder: BINDER_SET_CONTEXT_MGR already set
[  490.587980][   T12] binder: release 14065:14067 transaction 1944 out, still active
17:34:57 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0)

[  490.607815][T14067] binder: 14065:14067 ioctl 40046207 0 returned -16
[  490.620003][   T12] binder: unexpected work type, 4, not freed
[  490.637312][   T12] binder_release_work: 6 callbacks suppressed
[  490.637318][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:58 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000000)=ANY=[@ANYBLOB="0000000000000000a9b3b4ce6645045a949f2d9b3e684c4724d820300deb6747cef1d6b6415bf79a8d65ca6bc2200ba4063911cd66d63045d675ce9b50668b88e936bbbddb6a020f6bb2565afbdee154a9c02cda483b6b"]], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x0, 0x0})

[  490.692183][   T12] binder: send failed reply for transaction 1944, target dead
17:34:58 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
openat$vimc2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/video2\x00', 0x2, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  490.732165][T14088] binder: 14077:14088 ioctl c0306201 0 returned -14
17:34:58 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
r3 = shmget(0x2, 0x4000, 0x80, &(0x7f00007c9000/0x4000)=nil)
shmat(r3, &(0x7f00007f9000/0x3000)=nil, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  490.780102][T14122] binder: BINDER_SET_CONTEXT_MGR already set
[  490.806990][   T12] binder: release 14114:14122 transaction 1950 out, still active
[  490.818315][T14122] binder: 14114:14122 ioctl 40046207 0 returned -16
17:34:58 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$adsp(&(0x7f00000002c0)='/dev/adsp#\x00', 0x7, 0x40840)
ioctl$SG_GET_REQUEST_TABLE(r1, 0x2286, &(0x7f0000000300))
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = dup(r0)
ioctl$SG_SET_RESERVED_SIZE(r2, 0x2275, &(0x7f0000000100)=0x5)
setregid(0x0, 0x0)
pipe2(&(0x7f0000000000)={<r3=>0xffffffffffffffff}, 0x800)
getsockopt$IP6T_SO_GET_REVISION_TARGET(r3, 0x29, 0x45, &(0x7f0000000040)={'ipvs\x00'}, &(0x7f00000000c0)=0x1e)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
r4 = gettid()
ptrace$setregset(0x4205, r4, 0x0, &(0x7f0000000140)={&(0x7f0000000200)="96ed286f97520acf73a70840a9012467577c0d2202cb1afdac892aaa2359e2c994e56f70b38a36794ad84b85b076c8493fa3aa322b23e39f0a7d25550c2307e48c97e6f745b87ec31539eb8cf29c2e58d73c16d26df39fa984a82b0f0a00712ee56ebf03af3268a0437a381747e3cfbd989472275dafd82d886547579de915202d9b96192cf3be5a2fa372eeaecc1b5595a8ecde7dca0ee8d3070e0fc57a92c741307c1b4e39e30166a3ad292df5751e8f19d847ff7a9024", 0xb8})

[  490.831000][   T12] binder: unexpected work type, 4, not freed
[  490.862372][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:58 executing program 4:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x80000007)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:58 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0x0, 0x7fc)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x0, 0x0})

17:34:58 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0)

[  490.910361][   T12] binder: send failed reply for transaction 1950, target dead
[  491.079806][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  491.079842][    C1] protocol 88fb is buggy, dev hsr_slave_0
17:34:58 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
r2 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x7fff, 0x8000)
r3 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000080)='TIPCv2\x00')
sendmsg$TIPC_NL_NODE_GET(r2, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x100000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x54, r3, 0x8, 0x70bd2c, 0x25dfdbff, {}, [@TIPC_NLA_NODE={0x24, 0x6, [@TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x5}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0xfdbb}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x7fff}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x2}]}, @TIPC_NLA_NET={0x4}, @TIPC_NLA_NODE={0x18, 0x6, [@TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x6}]}]}, 0x54}, 0x1, 0x0, 0x0, 0x40001}, 0x4000010)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x0, 0x0})

17:34:58 executing program 3:
r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000140)='/dev/dlm_plock\x00', 0x400, 0x0)
ioctl$DRM_IOCTL_WAIT_VBLANK(r0, 0xc018643a, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
setxattr$trusted_overlay_nlink(&(0x7f0000000040)='./file0\x00', &(0x7f00000000c0)='trusted.overlay.nlink\x00', &(0x7f0000000100)={'U-', 0x1}, 0x28, 0x1)
r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x1, 0x2)
ioctl$VIDIOC_S_OUTPUT(r1, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f0000c72000/0x1000)=nil, 0x1000, 0x1000, 0x3, &(0x7f0000ffd000/0x1000)=nil)

17:34:58 executing program 2:
r0 = syz_open_dev$midi(&(0x7f00000000c0)='/dev/midi#\x00', 0x1012, 0x4200)
ioctl$DRM_IOCTL_WAIT_VBLANK(r0, 0xc018643a, 0x0)
r1 = syz_open_dev$loop(&(0x7f0000000300)='/dev/loop#\x00', 0x1ff, 0x0)
fsetxattr$security_evm(r1, &(0x7f0000000100)='security.evm\x00', &(0x7f0000000140)=ANY=[@ANYBLOB="0266078f5897f9b03d767e2c17a21af75294cb82"], 0x14, 0x1)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x6, 0x121181)
ioctl$SIOCGIFHWADDR(r2, 0x8927, &(0x7f0000000040))
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
fstat(r1, &(0x7f0000000340))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setregid(0x0, 0x0)
write(r3, &(0x7f0000000200)="fc8238a2cf718e2f543cd0ad4e78aa3107da572fbda682870005c63b40ee9bd9a031f59911827dc387f49fc194bd104b4df7f68b017f62e7b1e6338a0977de99b5d1a61b425d1fa1791dd32e0a75403c5418bf2a708f0d9033469722656149ac49498ade64cfa3fb11b66f7849e3095c91cca8dd65d4364bb0c6c74208393879911d85a59574e5d18cb44c254e2d264e17c2a33cca93447ef63c3b02e9416200d93cf322b5603d9cc06592cdb6760085b5ae29ce0664ff9940c65acaa31bb65cc41239389d44cf0b60b9033d7256a4dc27f12fe610c7b756a2609eb5bfdd1d352c70156e7d", 0xe5)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$TUNGETIFF(r0, 0x800454d2, &(0x7f00000003c0))
mmap(&(0x7f0000e3d000/0x1000)=nil, 0x1000, 0x1000000, 0x100010, r3, 0x0)
mremap(&(0x7f0000d3f000/0x2000)=nil, 0x2000, 0x1000, 0x3, &(0x7f00006db000/0x1000)=nil)

17:34:58 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0)

17:34:58 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x1, 0x2)
getsockopt$inet_sctp_SCTP_PR_STREAM_STATUS(r2, 0x84, 0x74, &(0x7f0000000380)=""/85, &(0x7f0000000440)=0x3e2)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  491.322984][T14373] binder: BINDER_SET_CONTEXT_MGR already set
[  491.361196][T14373] binder: 14354:14373 ioctl 40046207 0 returned -16
[  491.403858][T14424] binder: 14422:14424 ioctl c0306201 0 returned -14
[  491.411713][   T12] binder: release 14354:14373 transaction 1958 out, still active
17:34:58 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000008000000018000000000000000800ba0000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x0, 0x0})
r2 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x200000, 0x0)
r3 = openat$zero(0xffffffffffffff9c, &(0x7f0000000080)='/dev/zero\x00', 0x88000, 0x0)
ioctl$TUNSETLINK(r3, 0x400454cd, 0x306)
ioctl$RTC_WKALM_SET(r2, 0x4028700f, &(0x7f0000000040)={0x1, 0x0, {0x22, 0x32, 0xe, 0x19, 0x1, 0x8, 0x1, 0x133, 0x1}})
ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f00000000c0)={{&(0x7f0000001000/0x3000)=nil, 0x3000}, 0x1})

[  491.460659][   T12] binder: unexpected work type, 4, not freed
[  491.495506][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:58 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})

17:34:58 executing program 4:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x20000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  491.522808][   T12] binder: send failed reply for transaction 1958, target dead
[  491.560682][T14435] binder_alloc: 14431: binder_alloc_buf size 12189728 failed, no address space
[  491.631306][T14435] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288)
17:34:59 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
r0 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000100)='/dev/snapshot\x00', 0x101000, 0x0)
perf_event_open(0x0, 0x0, 0x0, r0, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x1, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
r4 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0xc89, 0x20000)
ioctl$DRM_IOCTL_ADD_CTX(0xffffffffffffffff, 0xc0086420, &(0x7f0000000040)={<r5=>0x0})
ioctl$DRM_IOCTL_GET_CTX(r4, 0xc0086423, &(0x7f00000000c0)={r5, 0x1})
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:59 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})

[  491.694523][T14439] binder: BINDER_SET_CONTEXT_MGR already set
[  491.729098][T14439] binder: 14431:14439 ioctl 40046207 0 returned -16
17:34:59 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20\x00', 0x402, 0x0)
r0 = syz_open_dev$usb(&(0x7f00000000c0)='/dev/bus/usb/00#/00#\x00', 0x4f78cb73, 0x0)
r1 = syz_open_dev$audion(&(0x7f0000000100)='/dev/audio#\x00', 0x100000000, 0x40)
r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer2\x00', 0x400, 0x0)
r3 = syz_open_dev$usbmon(&(0x7f0000000200)='/dev/usbmon#\x00', 0x5, 0x4000)
syz_open_dev$video(&(0x7f0000000240)='/dev/video#\x00', 0x80, 0x8000)
openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000280)='/dev/ubi_ctrl\x00', 0x20000, 0x0)
r4 = syz_open_dev$mouse(&(0x7f00000002c0)='/dev/input/mouse#\x00', 0x0, 0x40000)
ioctl$VIDIOC_S_OUTPUT(r4, 0xc004562f, 0x0)
r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r6 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0)
ioctl$CAPI_GET_PROFILE(r3, 0xc0404309, &(0x7f0000000500)=0x26)
sendto$rxrpc(r2, &(0x7f0000000300)="d2207e8db40924e373cb5daaac65b77080cee23e66a7a53846530be5dc61dd4f1604cb8729cbc9366bdb6a06c3a24165baabc9ded2f421207000f50ad64f91751f1fb5a97183e4f92575a5c0323589c8cfbecac027ff0b745129a464d1620b6d485424b8a2e253217395d2e48b59411b11edbb595efb964a555089092b75d4df90c3384b09c4e069cea94898e358935774e62764812a0828d2ff19ce445d7def1bed11459d868060efd2111587d064c68783103874f7234607b3dbfe68c905903d0f19389151c0dc1f931a3af98fa3f06fdaa76cfad7b67cf6e3861d26e15d", 0xdf, 0x20000000, &(0x7f0000000400)=@in4={0x21, 0x4, 0x2, 0x10, {0x2, 0x4e20, @initdev={0xac, 0x1e, 0x0, 0x0}}}, 0x24)
write$P9_RLCREATE(r0, &(0x7f0000000580)={0x18, 0xf, 0x2, {{0x80, 0x2, 0x3}, 0x1000}}, 0x18)
openat$vimc1(0xffffffffffffff9c, &(0x7f0000000440)='/dev/video1\x00', 0x2, 0x0)
bind$isdn_base(r3, &(0x7f0000000540)={0x22, 0xffffffffffffffff, 0x6, 0x2, 0xff}, 0x6)
setregid(0x0, 0x0)
r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r7, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x1, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)
openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x22000, 0x0)
setsockopt$ALG_SET_AEAD_AUTHSIZE(r4, 0x117, 0x5, 0x0, 0x7)
ioctl$EVIOCGKEYCODE(r1, 0x80084504, &(0x7f0000000480)=""/83)

[  491.768706][   T12] binder_release_work: 26 callbacks suppressed
[  491.768715][   T12] binder: undelivered TRANSACTION_ERROR: 29201
17:34:59 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000100)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="00000000000000212d0e101a5997121de16f2ec3c11980d788cbc358e736e87407696297b695f7f7d29ff29bfa4ee2045eeccce1b3c624c96312dcaa27e4a551aa855a832e6b2a849e82ab1e612b0a5d4c4fc4e7e7c49e1d82977cb155099d23d9b31e7c1faef36466b603e098392de99527116c46a86e5d97fb9641ac1ea0e6633d672202956e9449cdce37e7ff18f993600015761cb653d521f0b7e1469ac6aa9d"], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB="0463d30500000000"], 0x0, 0x0, 0x0})
r2 = syz_open_dev$dspn(&(0x7f00000000c0)='/dev/dsp#\x00', 0x2, 0x2000000010001)
setsockopt$inet_tcp_TCP_REPAIR(r2, 0x6, 0x13, &(0x7f0000000080)=0xffffffffffffffff, 0x4)
ioctl$FS_IOC_GET_ENCRYPTION_PWSALT(r0, 0x40106614, &(0x7f0000000040))

[  491.840735][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:34:59 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x20000000, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
r3 = dup(0xffffffffffffff9c)
setsockopt$bt_BT_CHANNEL_POLICY(r3, 0x112, 0xa, &(0x7f0000000000)=0x80000001, 0x4)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:59 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})

17:34:59 executing program 4:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x20000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  491.983575][T14557] binder: 14555:14557 unknown command 97739524
[  492.020754][T14557] binder: 14555:14557 ioctl c0306201 200001c0 returned -22
[  492.072109][T14557] binder: 14555:14557 ioctl 40106614 20000040 returned -22
[  492.105868][T14568] binder_alloc_mmap_handler: 5 callbacks suppressed
17:34:59 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0})

[  492.105885][T14568] binder_alloc: binder_alloc_mmap_handler: 14555 20001000-20004000 already mapped failed -16
17:34:59 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x2040, 0x0)
r1 = syz_genetlink_get_family_id$fou(&(0x7f00000000c0)='fou\x00')
sendmsg$FOU_CMD_ADD(r0, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x40802000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r1, 0x100, 0x70bd27, 0x25dfdbfe, {}, [@FOU_ATTR_REMCSUM_NOPARTIAL={0x4}, @FOU_ATTR_PORT={0x8, 0x1, 0x4e24}, @FOU_ATTR_REMCSUM_NOPARTIAL={0x4}]}, 0x24}, 0x1, 0x0, 0x0, 0x40000}, 0x20000000)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f00000001c0)=<r2=>0x0)
getpriority(0x0, r2)
ioctl$VIDIOC_S_OUTPUT(r0, 0xc004562f, 0x0)
openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000200)='/dev/btrfs-control\x00', 0x2, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
setregid(0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  492.202971][T14557] binder: 14555:14557 unknown command 97739524
[  492.230719][T14577] binder: 14555:14577 ioctl 40106614 20000040 returned -22
17:34:59 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0})

[  492.265829][T14576] binder: BINDER_SET_CONTEXT_MGR already set
[  492.291375][T14557] binder: 14555:14557 ioctl c0306201 200001c0 returned -22
[  492.308060][   T12] binder: release 14555:14557 transaction 1969 out, still active
[  492.328321][T14576] binder: 14555:14576 ioctl 40046207 0 returned -16
[  492.338526][   T12] binder: unexpected work type, 4, not freed
[  492.352464][   T12] binder: undelivered TRANSACTION_COMPLETE
17:34:59 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x1400000000000000)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0})
mmap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x2, 0x58113, r1, 0x0)

17:34:59 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0})

[  492.383400][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  492.407177][   T12] binder: send failed reply for transaction 1969, target dead
17:34:59 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
r0 = perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vga_arbiter\x00', 0x418000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setsockopt$inet6_MCAST_MSFILTER(r0, 0x29, 0x30, &(0x7f0000000200)={0xffffffff, {{0xa, 0x4e24, 0x0, @mcast1, 0x1}}, 0x1, 0x4, [{{0xa, 0x4e20, 0x80, @initdev={0xfe, 0x88, [], 0x1, 0x0}}}, {{0xa, 0x4e20, 0x401, @empty, 0x8}}, {{0xa, 0x4e21, 0xffff, @local, 0xa55}}, {{0xa, 0x4e20, 0x80000000, @ipv4={[], [], @multicast1}, 0x8}}]}, 0x290)
r3 = getegid()
stat(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0})
setregid(r4, r3)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r5 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$PERF_EVENT_IOC_PERIOD(r0, 0x40082404, &(0x7f0000000000)=0x2)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  492.466149][T14688] binder_alloc_new_buf_locked: 16 callbacks suppressed
[  492.466158][T14688] binder_alloc: 14686: binder_alloc_buf, no vma
[  492.493922][T14688] binder_transaction: 21 callbacks suppressed
[  492.493983][T14688] binder: 14686:14688 transaction failed 29189/-3, size 24-8 line 3147
17:34:59 executing program 4:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x20000000000000)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:34:59 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0})

17:34:59 executing program 2:
r0 = openat$full(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/full\x00', 0x4402, 0x0)
ioctl$DRM_IOCTL_IRQ_BUSID(r0, 0xc0106403, &(0x7f0000000400)={0xc0, 0x6, 0xff, 0x5})
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vsock\x00', 0x20200, 0x0)
ioctl$CAPI_MANUFACTURER_CMD(r1, 0xc0104320, &(0x7f0000000140)={0x6, &(0x7f00000000c0)="7051ff3d8b06dcadab7d0726fe103ee924483a1de969faab6e946971bf38e03a6e879c2972e3ed52bceeac2084dfc4f17ac7c6b391ec444920181e3ffb1df3537cadf3846d7a3a1664eb6f7a9111ea48e1f0873d73cf5d73"})
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000))
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
openat$rtc(0xffffffffffffff9c, &(0x7f0000000480)='/dev/rtc0\x00', 0x40c000, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$SNDRV_TIMER_IOCTL_STATUS(r1, 0x80605414, &(0x7f0000000240)=""/101)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$VHOST_GET_VRING_ENDIAN(r1, 0x4008af14, &(0x7f0000000380)={0x800008000000003})
prctl$PR_GET_TIMERSLACK(0x1e)
ioctl$FS_IOC_FSSETXATTR(r1, 0x401c5820, &(0x7f0000000440)={0x8, 0x48b, 0x4, 0x7, 0x80000000})
ioctl$KVM_X86_GET_MCE_CAP_SUPPORTED(r1, 0x8008ae9d, &(0x7f00000002c0)=""/192)
ioctl$VIDIOC_S_CTRL(r1, 0xc008561c, &(0x7f0000000200)={0x9, 0x2})
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  492.617030][T14699] binder: 14686:14699 unknown command 0
[  492.663412][T14701] Unknown ioctl -1072676064
[  492.681467][T14699] binder: 14686:14699 ioctl c0306201 200001c0 returned -22
[  492.708177][T14701] Unknown ioctl 44545
[  492.745661][T14701] Unknown ioctl -2141170668
[  492.746015][T14699] binder: BINDER_SET_CONTEXT_MGR already set
[  492.765783][T14699] binder: 14686:14699 ioctl 40046207 0 returned -16
[  492.787327][T14688] binder_alloc: 14686: binder_alloc_buf, no vma
17:35:00 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
openat$vimc0(0xffffffffffffff9c, &(0x7f0000000000)='/dev/video0\x00', 0x2, 0x0)
r0 = syz_open_dev$media(&(0x7f0000000040)='/dev/media#\x00', 0x100, 0xa0000)
r1 = openat$vimc0(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/video0\x00', 0x2, 0x0)
ioctl$VIDIOC_S_OUTPUT(r1, 0xc004562f, 0x0)
ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r0, 0xc01064b5, &(0x7f00000001c0)={&(0x7f0000000180)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x7})
epoll_ctl$EPOLL_CTL_ADD(r0, 0x1, r1, &(0x7f0000000140)={0x40002000})
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vhost-vsock\x00', 0x2, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  492.792419][T14701] Unknown ioctl 1074310932
[  492.805505][T14699] binder: 14686:14699 unknown command 0
[  492.826141][T14701] Unknown ioctl 1075599392
17:35:00 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0})

[  492.854207][T14701] Unknown ioctl -2146914659
[  492.896140][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  492.911627][T14688] binder: 14686:14688 transaction failed 29189/-3, size 24-8 line 3147
[  492.929367][T14785] Unknown ioctl -1073195492
17:35:00 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x0, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0})

[  492.948232][T14701] Unknown ioctl -1072676064
[  492.950738][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  492.961623][T14699] binder: 14686:14699 ioctl c0306201 200001c0 returned -22
[  492.999607][T14785] Unknown ioctl 44545
[  493.018166][T14701] Unknown ioctl -2141170668
17:35:00 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
ioctl$RTC_AIE_OFF(r1, 0xc0189436)

[  493.040672][T14818] Unknown ioctl 1074310932
[  493.060354][T14821] Unknown ioctl 1075599392
17:35:00 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$EXT4_IOC_GROUP_EXTEND(r0, 0x40086607, &(0x7f0000000000)=0x3)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x0, 0x0})

[  493.100134][T14822] Unknown ioctl -2146914659
[  493.109366][T14821] Unknown ioctl -1073195492
17:35:00 executing program 4 (fault-call:3 fault-nth:0):
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

17:35:00 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_UNREGISTER_COALESCED_MMIO(r1, 0x4010ae68, &(0x7f0000000000)={0xd000, 0x1c000})
getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r2, 0x84, 0x1d, &(0x7f0000000040)={0x8, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f00000000c0)=0x24)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:35:00 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = creat(&(0x7f0000000000)='./file0\x00', 0xa5)
ioctl$SG_GET_NUM_WAITING(r1, 0x227d, &(0x7f0000000040))
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
clone(0x10000, &(0x7f00000000c0)="63b8437dd67cb68a38fdae9667c5f7d78884086a2a744070d3ae759012d0dd6169a6dd3bd7fbba0594bcc154a8b135ad61b4c59eec615513868d078b5452b769ee7b8bc08ff70829d8855368d756a779ad5219054203f3f3bb08e4467a68e41f1cb9012f0896fc44f65df11a8fe713461fbeb71083c2892b57f31372a89df12d975cbe99befe737e1f4dad2b6ce599827aea413d1636249573c6b89d57d198bb93cdb2773df9566c2065cbb780feaa3d70e94175451e483c8b2e4521a380733fe082e70c823f649beebb27d0459514941237039fb623784cec8e4c39ed38560a6adbb659ce", &(0x7f00000001c0), &(0x7f0000000200), &(0x7f0000000240)="c4f62741994efd0093e731c86d4ecdddf4ec3bc148dc309d3263b68edc9d26fc6c616e7c87026815a7b362b355ed137de2a42a3ce32203d611c8f38a07590500aca665294e9784842d81054bc37d50bfa10efbe11f84873147fb685e1197e6d43c8dafb1584d8139bd25eab4e5480858a797ddef7f15285d636ae69182ad56137125769797254e80a105036a5462e31965699e3b6fdfd64854fa86ea5e02811203f005b95b3dec4d66bec7ea6efa4a3ba1d58022d99e0936ab36dc4faf0316140ff151caf95b5468c8647a5f9e1569ffed")
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000b7d000/0x1000)=nil)

17:35:00 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0xe, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c400000"], 0x0, 0x0, 0x0})

[  493.217217][T14830] binder: 14829:14830 ioctl 40086607 20000000 returned -22
17:35:00 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x8000, 0x2)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffff9c, 0x8933, &(0x7f0000000140)={'dummy0\x00', <r1=>0x0})
bind$can_raw(r0, &(0x7f0000000200)={0x1d, r1}, 0x10)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  493.317108][T14842] binder_alloc: binder_alloc_mmap_handler: 14829 20001000-20004000 already mapped failed -16
17:35:00 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1}], 0x1, 0x100000001)

[  493.364508][T14830] binder: BINDER_SET_CONTEXT_MGR already set
[  493.392818][T14830] binder: 14829:14830 ioctl 40046207 0 returned -16
[  493.436588][T14881] binder_alloc: 14829: binder_alloc_buf, no vma
[  493.471547][T14842] binder: 14829:14842 ioctl 40086607 20000000 returned -22
17:35:00 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x8}], 0x1, 0x100000001)

[  493.500251][   T12] binder: release 14829:14830 transaction 1977 out, still active
[  493.528891][T14881] binder: 14829:14881 transaction failed 29189/-3, size 24-8 line 3147
[  493.541018][   T12] binder: unexpected work type, 4, not freed
17:35:00 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0xe, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c400000"], 0x0, 0x0, 0x0})

[  493.571110][   T12] binder: undelivered TRANSACTION_COMPLETE
[  493.604275][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:35:00 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x410001, 0x0)
getsockopt$inet_int(r0, 0x0, 0x17, &(0x7f0000000040), &(0x7f00000000c0)=0x4)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:35:00 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
syz_open_dev$video4linux(&(0x7f00000000c0)='/dev/v4l-subdev#\x00', 0x5, 0x4002)
ioctl$BINDER_SET_MAX_THREADS(r0, 0x40046205, 0x4)
r1 = syz_open_dev$binder(0x0, 0x0, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$sock_inet6_tcp_SIOCOUTQ(r0, 0x5411, &(0x7f0000000000))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0xffffffffffffffbe, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB="314b37a75dff0000"], 0x0, 0x0, 0x0})
r2 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vfio/vfio\x00', 0x101000, 0x0)
getsockopt$bt_BT_SECURITY(r2, 0x112, 0x4, &(0x7f0000000080), 0x2)

[  493.635987][   T12] binder: send failed reply for transaction 1977, target dead
17:35:01 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0xe, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c400000"], 0x0, 0x0, 0x0})

[  493.738437][T15067] binder: 15042:15067 ioctl 40046205 4 returned -22
17:35:01 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x64}], 0x1, 0x100000001)

17:35:01 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
getgroups(0x3, &(0x7f0000000000)=[0xee00, 0x0, <r3=>0xee00])
r4 = getgid()
setgroups(0x2, &(0x7f0000000040)=[r3, r4])
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  493.803135][T15067] binder: 15042:15067 transaction failed 29189/-22, size 24-8 line 2994
[  493.817329][T15073] binder: 15072:15073 Acquire 1 refcount change on invalid ref 0 ret -22
17:35:01 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000180)='/dev/nullb0\x00', 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r0, 0x0)
r1 = openat$nullb(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/nullb0\x00', 0x0, 0x0)
ioctl$SIOCGSTAMPNS(0xffffffffffffffff, 0x8907, 0x0)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000100)={0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff}, 0x30)
preadv(r1, &(0x7f0000000040)=[{&(0x7f0000000400)=""/4096, 0x2d000}], 0x1, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  493.859991][T15071] binder: 15042:15071 ioctl 5411 20000000 returned -22
[  493.864392][T15073] binder: 15072:15073 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
[  493.913312][T15071] binder: 15042:15071 ioctl 40046205 4 returned -22
[  493.953392][T15071] binder: 15042:15071 transaction failed 29189/-22, size 24-8 line 2994
[  493.992340][T15067] binder: 15042:15067 ioctl 5411 20000000 returned -22
[  494.024657][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  494.032599][   T12] binder: undelivered TRANSACTION_ERROR: 29189
17:35:01 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x15, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c40000000000000000000"], 0x0, 0x0, 0x0})

17:35:01 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000000)=ANY=[@ANYBLOB="00f80044a596706018c11a695229e407140000000400"]], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304}], 0x0, 0x0, 0x0})
r2 = syz_open_dev$mice(&(0x7f0000000040)='/dev/input/mice\x00', 0x0, 0x109000)
ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, &(0x7f00000000c0)={0x2, &(0x7f0000000080)=[{}, {<r3=>0x0}]})
ioctl$DRM_IOCTL_UNLOCK(r2, 0x4008642b, &(0x7f0000000100)={r3, 0x8})

17:35:01 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x402, 0x0)
ioctl$UI_BEGIN_FF_UPLOAD(r0, 0xc06855c8, &(0x7f00000000c0)={0x4, 0x488, {0x51, 0x2a, 0x6, {0x10001, 0x6}, {0x4, 0x1}, @const={0x5, {0x100000000, 0x3, 0x7}}}, {0x57, 0x0, 0x1, {0x7b, 0x1ff}, {0x8, 0xffffffff}, @cond=[{0x0, 0x5, 0x3ad, 0x2, 0x9, 0x80000001}, {0x1, 0x8, 0x4, 0x6c8bc0b, 0x8, 0x8}]}})
getpriority(0x0, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:35:01 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x1ed}], 0x1, 0x100000001)

[  494.152265][T15191] binder: 15190:15191 Acquire 1 refcount change on invalid ref 0 ret -22
[  494.213538][T15198] ------------[ cut here ]------------
[  494.220002][T15198] kernel BUG at drivers/android/binder_alloc.c:1141!
[  494.229603][T15191] binder: 15190:15191 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
[  494.266006][T15198] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[  494.273132][T15198] CPU: 0 PID: 15198 Comm: syz-executor.0 Not tainted 5.1.0-rc2+ #39
[  494.281132][T15198] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  494.292756][T15198] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510
[  494.299481][T15198] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 1f f8 23 fc 4c 89 e6 4c 89 ef e8 34 f9 23 fc 4d 39 e5 76 07 e8 0a f8 23 fc <0f> 0b e8 03 f8 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 11
[  494.319852][T15198] RSP: 0018:ffff888052867550 EFLAGS: 00010212
[  494.326099][T15198] RAX: 0000000000040000 RBX: 0000000020001000 RCX: ffffc90005e03000
[  494.334445][T15198] RDX: 000000000000041b RSI: ffffffff854c7976 RDI: 0000000000000006
[  494.342479][T15198] RBP: ffff8880528675d0 R08: ffff888093f68340 R09: 0000000000000028
[  494.350561][T15198] R10: ffffed100a50cf01 R11: ffff88805286780f R12: 0000000000000020
[  494.354614][ T3876] kobject: 'loop1' (00000000e57359dd): kobject_uevent_env
[  494.358713][T15198] R13: 0000000000000028 R14: ffff88808fb3fd50 R15: 0000000000000000
[  494.358725][T15198] FS:  00007f3b64a44700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
[  494.358733][T15198] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  494.358741][T15198] CR2: 000000000073c000 CR3: 00000000971a1000 CR4: 00000000001426f0
[  494.358750][T15198] Call Trace:
[  494.358775][T15198]  ? memcpy+0x46/0x50
[  494.358798][T15198]  binder_alloc_copy_from_buffer+0x37/0x42
[  494.369676][T15204] kobject: 'kvm' (00000000a193a8fc): kobject_uevent_env
[  494.374127][T15198]  binder_get_object+0xc3/0x200
[  494.374145][T15198]  binder_transaction+0x2b4a/0x6690
[  494.374176][T15198]  ? binder_thread_read+0x3d50/0x3d50
[  494.374209][T15198]  ? __might_fault+0x12b/0x1e0
[  494.406201][ T3876] kobject: 'loop1' (00000000e57359dd): fill_kobj_path: path = '/devices/virtual/block/loop1'
[  494.411367][T15198]  ? lock_downgrade+0x880/0x880
[  494.411389][T15198]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  494.411404][T15198]  ? _copy_from_user+0xdd/0x150
[  494.411422][T15198]  binder_thread_write+0x64a/0x2820
[  494.411446][T15198]  ? binder_transaction+0x6690/0x6690
[  494.411460][T15198]  ? __might_fault+0x12b/0x1e0
[  494.411490][T15198]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  494.476421][T15204] kobject: 'kvm' (00000000a193a8fc): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  494.476866][T15198]  ? _copy_from_user+0xdd/0x150
[  494.502816][T15198]  binder_ioctl+0x1033/0x183b
[  494.507609][T15198]  ? binder_thread_write+0x2820/0x2820
17:35:01 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x15, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c40000000000000000000"], 0x0, 0x0, 0x0})

[  494.513268][T15198]  ? tomoyo_path_number_perm+0x263/0x520
[  494.514982][ T3876] kobject: 'nullb0' (00000000d962c41f): kobject_uevent_env
[  494.518966][T15198]  ? tomoyo_execute_permission+0x4a0/0x4a0
[  494.533744][T15198]  ? binder_thread_write+0x2820/0x2820
[  494.541458][T15198]  do_vfs_ioctl+0xd6e/0x1390
[  494.546465][T15198]  ? ioctl_preallocate+0x210/0x210
[  494.551956][T15198]  ? __fget+0x381/0x550
[  494.556139][T15198]  ? ksys_dup3+0x3e0/0x3e0
[  494.560568][T15198]  ? nsecs_to_jiffies+0x30/0x30
[  494.573031][T15198]  ? tomoyo_file_ioctl+0x23/0x30
[  494.578226][T15198]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  494.584679][T15198]  ? security_file_ioctl+0x93/0xc0
[  494.589836][T15198]  ksys_ioctl+0xab/0xd0
[  494.594039][T15198]  __x64_sys_ioctl+0x73/0xb0
[  494.598733][T15198]  do_syscall_64+0x103/0x610
[  494.603437][T15198]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  494.609592][T15198] RIP: 0033:0x458209
[  494.613538][T15198] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  494.635309][T15198] RSP: 002b:00007f3b64a43c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  494.643742][T15198] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209
[  494.651727][T15198] RDX: 0000000020000440 RSI: 00000000c0306201 RDI: 0000000000000003
[  494.660055][T15198] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
[  494.668461][T15198] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3b64a446d4
[  494.676532][T15198] R13: 00000000004bf49a R14: 00000000004d0e80 R15: 00000000ffffffff
[  494.684746][T15198] Modules linked in:
[  494.689074][    C0] net_ratelimit: 18 callbacks suppressed
[  494.689081][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  494.696815][T15194] kobject: 'kvm' (00000000a193a8fc): kobject_uevent_env
[  494.701505][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:35:02 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x15, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c40000000000000000000"], 0x0, 0x0, 0x0})

[  494.721525][T15079] kobject: 'kvm' (00000000a193a8fc): kobject_uevent_env
[  494.724471][ T3876] kobject: 'nullb0' (00000000d962c41f): fill_kobj_path: path = '/devices/virtual/block/nullb0'
[  494.731500][T15079] kobject: 'kvm' (00000000a193a8fc): fill_kobj_path: path = '/devices/virtual/misc/kvm'
17:35:02 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0x6400}], 0x1, 0x100000001)

[  494.805239][T15198] ---[ end trace fc5e70de57d74875 ]---
[  494.812353][T15198] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510
[  494.820706][T15198] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 1f f8 23 fc 4c 89 e6 4c 89 ef e8 34 f9 23 fc 4d 39 e5 76 07 e8 0a f8 23 fc <0f> 0b e8 03 f8 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 11
[  494.824495][T15194] kobject: 'kvm' (00000000a193a8fc): fill_kobj_path: path = '/devices/virtual/misc/kvm'
17:35:02 executing program 5:
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
pipe2(0x0, 0x0)
r0 = perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x9010, r0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$SCSI_IOCTL_DOORLOCK(0xffffffffffffffff, 0x5380)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:35:02 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x19, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000"], 0x0, 0x0, 0x0})

[  494.843303][T15145] kobject: 'kvm' (00000000a193a8fc): kobject_uevent_env
[  494.859419][T15198] RSP: 0018:ffff888052867550 EFLAGS: 00010212
[  494.867778][T15145] kobject: 'kvm' (00000000a193a8fc): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  494.881365][T15198] RAX: 0000000000040000 RBX: 0000000020001000 RCX: ffffc90005e03000
[  494.899835][ T3876] kobject: 'loop1' (00000000e57359dd): kobject_uevent_env
[  494.911438][T15198] RDX: 000000000000041b RSI: ffffffff854c7976 RDI: 0000000000000006
[  494.913127][ T3876] kobject: 'loop1' (00000000e57359dd): fill_kobj_path: path = '/devices/virtual/block/loop1'
[  494.921723][T15198] RBP: ffff8880528675d0 R08: ffff888093f68340 R09: 0000000000000028
[  494.940279][T15198] R10: ffffed100a50cf01 R11: ffff88805286780f R12: 0000000000000020
[  494.942517][T15194] kobject: 'kvm' (00000000a193a8fc): kobject_uevent_env
[  494.949061][T15198] R13: 0000000000000028 R14: ffff88808fb3fd50 R15: 0000000000000000
[  494.958772][T15194] kobject: 'kvm' (00000000a193a8fc): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  494.964667][T15318] binder: 15314:15318 unknown command 0
[  494.979050][T15323] kobject: 'kvm' (00000000a193a8fc): kobject_uevent_env
[  494.990071][T15135] kobject: 'kvm' (00000000a193a8fc): kobject_uevent_env
[  494.999967][ T3876] kobject: 'loop4' (00000000f6196f5f): kobject_uevent_env
[  495.013768][T15135] kobject: 'kvm' (00000000a193a8fc): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  495.017635][ T3876] kobject: 'loop4' (00000000f6196f5f): fill_kobj_path: path = '/devices/virtual/block/loop4'
[  495.031914][T15211] binder_alloc: binder_alloc_mmap_handler: 15193 20001000-20004000 already mapped failed -16
17:35:02 executing program 3:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
r0 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000440)='/dev/btrfs-control\x00', 0x10842, 0x0)
ioctl$VIDIOC_S_MODULATOR(r0, 0x40445637, &(0x7f0000000480)={0x5, "771948f78f529c295b194b3ff8cadeacfabb18e580075608710aac44eb7d85fa", 0x1000, 0x2, 0x3, 0x1, 0x6})
mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getpriority(0x0, 0x0)
r1 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x302, 0x2080)
ioctl$KVM_GET_API_VERSION(r1, 0xae00, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
execve(&(0x7f0000000040)='./file0\x00', &(0x7f0000000240)=[&(0x7f00000000c0)='/dev/kvm\x00', &(0x7f0000000100)='vboxnet0mime_type\x00', &(0x7f0000000140)='r\xfbmd5sum\x00', &(0x7f0000000180)='bdev:\x00', &(0x7f00000001c0)='securitykeyring\'$nodevbdevusersecurity\x00', &(0x7f0000000200)='/dev/kvm\x00'], &(0x7f0000000400)=[&(0x7f0000000280)='!@cgroup&:\x00', &(0x7f00000002c0)='/dev/kvm\x00', &(0x7f0000000300)='\x00', &(0x7f0000000340)='/dev/kvm\x00', &(0x7f0000000380)='wlan1,nodevselfem1\x00', &(0x7f00000003c0)='/dev/bus/usb/00#/00#\x00'])
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
setregid(0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

[  495.051794][T15198] FS:  00007f3b64a44700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
[  495.062231][T15309] binder_alloc: 15193: binder_alloc_buf, no vma
[  495.068617][T15323] kobject: 'kvm' (00000000a193a8fc): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  495.068797][T15211] binder: BINDER_SET_CONTEXT_MGR already set
[  495.084544][ T3876] kobject: 'loop1' (00000000e57359dd): kobject_uevent_env
[  495.094994][T15318] binder: 15314:15318 ioctl c0306201 20000680 returned -22
[  495.119345][ T3876] kobject: 'loop1' (00000000e57359dd): fill_kobj_path: path = '/devices/virtual/block/loop1'
[  495.120503][T15135] kobject: 'kvm' (00000000a193a8fc): kobject_uevent_env
[  495.140429][T15309] binder: 15193:15309 transaction failed 29189/-3, size 24-8 line 3147
[  495.145000][T15400] kobject: 'kvm' (00000000a193a8fc): kobject_uevent_env
[  495.149205][T15135] kobject: 'kvm' (00000000a193a8fc): fill_kobj_path: path = '/devices/virtual/misc/kvm'
17:35:02 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000008ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = dup2(r0, r0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000680)={0x19, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="05630440000000000e630c4000000000000000000000000000"], 0x0, 0x0, 0x0})

[  495.165037][ T3876] kobject: 'loop5' (0000000027a88237): kobject_uevent_env
[  495.174194][T15198] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  495.188296][T15198] CR2: 0000000000000000 CR3: 00000000971a1000 CR4: 00000000001426f0
[  495.189327][T15313] kobject: 'kvm' (00000000a193a8fc): kobject_uevent_env
[  495.209872][T15211] binder: 15193:15211 ioctl 40046207 0 returned -16
[  495.221044][T15424] binder: 15423:15424 Acquire 1 refcount change on invalid ref 0 ret -22
[  495.222536][T15400] kobject: 'kvm' (00000000a193a8fc): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  495.239787][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  495.239804][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  495.245577][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  495.251398][    C0] protocol 88fb is buggy, dev hsr_slave_1
17:35:02 executing program 2:
ioctl$DRM_IOCTL_WAIT_VBLANK(0xffffffffffffffff, 0xc018643a, 0x0)
mmap(&(0x7f00000f0000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
r0 = perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_OUTPUT(0xffffffffffffffff, 0xc004562f, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setregid(0x0, 0x0)
ioctl$VIDIOC_G_PARM(r0, 0xc0cc5615, &(0x7f0000000200)={0xf, @capture={0x1000, 0x1, {0x75f, 0x40}, 0x5, 0x4}})
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f00001da000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f00007d5000/0x3000)=nil, 0x3000, 0x1000, 0x0, &(0x7f0000ffd000/0x1000)=nil)

17:35:02 executing program 4:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc\x00', 0x0, 0x0)
poll(&(0x7f0000000000)=[{r1, 0xed01}], 0x1, 0x100000001)

[  495.265650][ T3876] kobject: 'loop5' (0000000027a88237): fill_kobj_path: path = '/devices/virtual/block/loop5'
[  495.265711][T15406] binder: 15193:15406 IncRefs 0 refcount change on invalid ref 0 ret -22
[  495.284720][ T3876] kobject: 'loop3' (00000000090c693b): kobject_uevent_env
[  495.295294][T15313] kobject: 'kvm' (00000000a193a8fc): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  495.310414][T15424] binder: 15423:15424 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
[  495.317817][ T3876] kobject: 'loop3' (00000000090c693b): fill_kobj_path: path = '/devices/virtual/block/loop3'
[  495.340049][T15424] binder: 15423:15424 unknown command 0
[  495.349159][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  495.355707][T15198] Kernel panic - not syncing: Fatal exception
[  495.355942][ T3876] kobject: 'loop1' (00000000e57359dd): kobject_uevent_env
[  495.362616][T15198] Kernel Offset: disabled
[  495.374073][T15198] Rebooting in 86400 seconds..