last executing test programs: 1.61558873s ago: executing program 0 (id=210): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ppp', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ppp', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ppp', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ppp', 0x800, 0x0) 1.535634555s ago: executing program 1 (id=211): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/asound/card0/oss_mixer', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/asound/card0/oss_mixer', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/asound/card0/oss_mixer', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/proc/asound/card0/oss_mixer', 0x800, 0x0) 1.44538287s ago: executing program 0 (id=212): timerfd_settime(0xffffffffffffffff, 0x0, &(0x7f0000000000), &(0x7f0000000000)) 1.289139168s ago: executing program 0 (id=213): sched_getaffinity(0x0, 0x0, &(0x7f0000000000)) 1.26655961s ago: executing program 1 (id=214): socket$isdn_base(0x22, 0x3, 0x0) 1.126353058s ago: executing program 0 (id=215): socket$qrtr(0x2a, 0x2, 0x0) 765.284148ms ago: executing program 1 (id=216): rt_sigprocmask(0x0, &(0x7f0000000000), 0x0, 0x0) 526.151411ms ago: executing program 1 (id=217): socket$inet_udp(0x2, 0x2, 0x0) 525.931511ms ago: executing program 0 (id=218): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/keychord', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/keychord', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/keychord', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/keychord', 0x800, 0x0) 357.003711ms ago: executing program 1 (id=219): lgetxattr(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0) 356.52871ms ago: executing program 0 (id=220): renameat(0xffffffffffffffff, &(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000000)) 0s ago: executing program 1 (id=222): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/fs/binfmt_misc/register', 0x1, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:30831' (ED25519) to the list of known hosts. [ 133.514713][ T30] audit: type=1400 audit(133.260:58): avc: denied { name_bind } for pid=3294 comm="sshd" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 133.863377][ T30] audit: type=1400 audit(133.620:59): avc: denied { execute } for pid=3296 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 133.873417][ T30] audit: type=1400 audit(133.620:60): avc: denied { execute_no_trans } for pid=3296 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 137.707726][ T30] audit: type=1400 audit(137.460:61): avc: denied { mounton } for pid=3296 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1736 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 137.723034][ T30] audit: type=1400 audit(137.480:62): avc: denied { mount } for pid=3296 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 137.758106][ T3296] cgroup: Unknown subsys name 'net' [ 137.778378][ T30] audit: type=1400 audit(137.530:63): avc: denied { unmount } for pid=3296 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 138.169915][ T3296] cgroup: Unknown subsys name 'cpuset' [ 138.201704][ T3296] cgroup: Unknown subsys name 'rlimit' [ 138.612612][ T30] audit: type=1400 audit(138.370:64): avc: denied { setattr } for pid=3296 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 138.613924][ T30] audit: type=1400 audit(138.370:65): avc: denied { create } for pid=3296 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 138.624795][ T30] audit: type=1400 audit(138.380:66): avc: denied { write } for pid=3296 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 138.629697][ T30] audit: type=1400 audit(138.390:67): avc: denied { module_request } for pid=3296 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 138.745640][ T30] audit: type=1400 audit(138.500:68): avc: denied { read } for pid=3296 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 138.760455][ T30] audit: type=1400 audit(138.520:69): avc: denied { mounton } for pid=3296 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 138.761547][ T30] audit: type=1400 audit(138.520:70): avc: denied { mount } for pid=3296 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 139.051912][ T3299] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 139.057501][ T30] audit: type=1400 audit(138.810:71): avc: denied { relabelto } for pid=3299 comm="mkswap" name="swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 139.061325][ T30] audit: type=1400 audit(138.820:72): avc: denied { write } for pid=3299 comm="mkswap" path="/swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 139.159209][ T30] audit: type=1400 audit(138.920:73): avc: denied { read } for pid=3296 comm="syz-executor" name="swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 139.179555][ T3296] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 157.004099][ T30] kauditd_printk_skb: 1 callbacks suppressed [ 157.005039][ T30] audit: type=1400 audit(156.760:75): avc: denied { execmem } for pid=3300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 157.075290][ T30] audit: type=1400 audit(156.830:76): avc: denied { read } for pid=3302 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 157.080264][ T30] audit: type=1400 audit(156.840:77): avc: denied { open } for pid=3302 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 157.091078][ T30] audit: type=1400 audit(156.850:78): avc: denied { mounton } for pid=3302 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 157.960040][ T30] audit: type=1400 audit(157.720:79): avc: denied { mount } for pid=3302 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 157.978790][ T30] audit: type=1400 audit(157.740:80): avc: denied { mounton } for pid=3302 comm="syz-executor" path="/syzkaller.3fXnNL/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 158.000991][ T30] audit: type=1400 audit(157.760:81): avc: denied { mount } for pid=3302 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 158.021744][ T30] audit: type=1400 audit(157.780:82): avc: denied { mounton } for pid=3302 comm="syz-executor" path="/syzkaller.3fXnNL/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 158.031372][ T30] audit: type=1400 audit(157.790:83): avc: denied { mounton } for pid=3302 comm="syz-executor" path="/syzkaller.3fXnNL/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=3231 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 158.050238][ T30] audit: type=1400 audit(157.810:84): avc: denied { unmount } for pid=3302 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 162.353191][ T30] kauditd_printk_skb: 16 callbacks suppressed [ 162.355411][ T30] audit: type=1400 audit(162.110:101): avc: denied { write } for pid=3354 comm="syz.1.46" name="pfkey" dev="proc" ino=4026532766 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=1 [ 162.604343][ T30] audit: type=1400 audit(162.360:102): avc: denied { read } for pid=3356 comm="syz.1.49" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 162.634204][ T30] audit: type=1400 audit(162.390:103): avc: denied { open } for pid=3356 comm="syz.1.49" path="/dev/kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 162.649602][ T30] audit: type=1400 audit(162.410:104): avc: denied { write } for pid=3356 comm="syz.1.49" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 163.387303][ T30] audit: type=1400 audit(163.140:105): avc: denied { create } for pid=3364 comm="syz.0.58" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rds_socket permissive=1 [ 164.410921][ T30] audit: type=1400 audit(164.170:106): avc: denied { create } for pid=3376 comm="syz.1.69" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=alg_socket permissive=1 [ 165.553765][ T30] audit: type=1400 audit(165.310:107): avc: denied { create } for pid=3389 comm="syz.1.81" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 165.561939][ T3389] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 166.344278][ T30] audit: type=1400 audit(166.100:108): avc: denied { read } for pid=3393 comm="syz.1.86" name="uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 166.369160][ T30] audit: type=1400 audit(166.130:109): avc: denied { open } for pid=3393 comm="syz.1.86" path="/dev/uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 166.380859][ T30] audit: type=1400 audit(166.140:110): avc: denied { write } for pid=3393 comm="syz.1.86" name="uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 169.361173][ T30] audit: type=1400 audit(169.120:111): avc: denied { create } for pid=3424 comm="syz.0.117" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [ 169.770266][ T30] audit: type=1400 audit(169.530:112): avc: denied { write } for pid=3429 comm="syz.0.119" name="urandom" dev="devtmpfs" ino=9 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file permissive=1 [ 169.843465][ T30] audit: type=1400 audit(169.600:113): avc: denied { create } for pid=3428 comm="syz.1.120" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 171.287733][ T30] audit: type=1400 audit(171.040:114): avc: denied { create } for pid=3446 comm="syz.1.137" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=vsock_socket permissive=1 [ 172.928845][ T30] audit: type=1400 audit(172.680:115): avc: denied { create } for pid=3460 comm="syz.1.150" anonclass=[secretmem] scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:sysadm_t tclass=anon_inode permissive=1 [ 173.138374][ T30] audit: type=1400 audit(172.890:116): avc: denied { create } for pid=3462 comm="syz.1.152" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 174.725101][ T30] audit: type=1400 audit(174.480:117): avc: denied { read } for pid=3479 comm="syz.1.168" name="rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 174.735891][ T30] audit: type=1400 audit(174.490:118): avc: denied { open } for pid=3479 comm="syz.1.168" path="/dev/rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 174.742835][ T30] audit: type=1400 audit(174.500:119): avc: denied { write } for pid=3479 comm="syz.1.168" name="rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 175.431351][ T30] audit: type=1400 audit(175.190:120): avc: denied { write } for pid=3485 comm="syz.0.174" name="hwrng" dev="devtmpfs" ino=83 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 177.581939][ T30] audit: type=1400 audit(177.340:121): avc: denied { create } for pid=3498 comm="syz.1.186" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=icmp_socket permissive=1 [ 178.583140][ T30] audit: type=1400 audit(178.340:122): avc: denied { create } for pid=3507 comm="syz.1.194" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rose_socket permissive=1 [ 178.991454][ T30] audit: type=1400 audit(178.750:123): avc: denied { create } for pid=3509 comm="syz.1.195" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 179.689952][ T30] audit: type=1400 audit(179.450:124): avc: denied { sys_module } for pid=3518 comm="syz.0.203" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 180.785795][ T30] audit: type=1400 audit(180.540:125): avc: denied { create } for pid=3529 comm="syz.1.214" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=isdn_socket permissive=1 [ 180.885102][ T30] audit: type=1400 audit(180.640:126): avc: denied { create } for pid=3531 comm="syz.0.215" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=qipcrtr_socket permissive=1 [ 182.574908][ T3303] ================================================================== [ 182.576294][ T3303] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 182.577748][ T3303] Write of size 8 at addr ffff000018765808 by task syz-executor/3303 [ 182.577951][ T3303] [ 182.579189][ T3303] CPU: 0 UID: 0 PID: 3303 Comm: syz-executor Not tainted 6.15.0-rc4-syzkaller-00256-g95d3481af6dc #0 PREEMPT [ 182.579552][ T3303] Hardware name: linux,dummy-virt (DT) [ 182.580090][ T3303] Call trace: [ 182.580373][ T3303] show_stack+0x18/0x24 (C) [ 182.580635][ T3303] dump_stack_lvl+0xa4/0xf4 [ 182.580773][ T3303] print_report+0xf4/0x60c [ 182.580886][ T3303] kasan_report+0xc8/0x108 [ 182.580976][ T3303] __asan_report_store8_noabort+0x20/0x2c [ 182.581062][ T3303] binderfs_evict_inode+0x2ac/0x2b4 [ 182.581148][ T3303] evict+0x2c0/0x67c [ 182.581236][ T3303] iput+0x3b0/0x6b4 [ 182.581316][ T3303] dentry_unlink_inode+0x208/0x46c [ 182.581410][ T3303] __dentry_kill+0x150/0x52c [ 182.581497][ T3303] shrink_dentry_list+0x114/0x3a4 [ 182.581588][ T3303] shrink_dcache_parent+0x158/0x354 [ 182.581683][ T3303] shrink_dcache_for_umount+0x88/0x304 [ 182.581770][ T3303] generic_shutdown_super+0x60/0x2e8 [ 182.581872][ T3303] kill_litter_super+0x68/0xa4 [ 182.581962][ T3303] binderfs_kill_super+0x38/0x88 [ 182.582052][ T3303] deactivate_locked_super+0x98/0x17c [ 182.582143][ T3303] deactivate_super+0xb0/0xd4 [ 182.582232][ T3303] cleanup_mnt+0x198/0x424 [ 182.582319][ T3303] __cleanup_mnt+0x14/0x20 [ 182.582410][ T3303] task_work_run+0x128/0x210 [ 182.582497][ T3303] do_exit+0x7ac/0x1f68 [ 182.582584][ T3303] do_group_exit+0xa4/0x208 [ 182.582672][ T3303] get_signal+0x1b00/0x1ba8 [ 182.582761][ T3303] do_signal+0x160/0x620 [ 182.582854][ T3303] do_notify_resume+0x18c/0x258 [ 182.582945][ T3303] el0_svc+0x100/0x180 [ 182.583032][ T3303] el0t_64_sync_handler+0x10c/0x138 [ 182.583117][ T3303] el0t_64_sync+0x198/0x19c [ 182.583440][ T3303] [ 182.585294][ T3303] Allocated by task 3302: [ 182.585741][ T3303] kasan_save_stack+0x3c/0x64 [ 182.585967][ T3303] kasan_save_track+0x20/0x3c [ 182.586141][ T3303] kasan_save_alloc_info+0x40/0x54 [ 182.586378][ T3303] __kasan_kmalloc+0xb8/0xbc [ 182.586552][ T3303] __kmalloc_cache_noprof+0x1b0/0x3cc [ 182.586766][ T3303] binderfs_binder_device_create.isra.0+0x140/0x9a0 [ 182.586949][ T3303] binderfs_fill_super+0x69c/0xed4 [ 182.587119][ T3303] get_tree_nodev+0xac/0x148 [ 182.587281][ T3303] binderfs_fs_context_get_tree+0x18/0x24 [ 182.587449][ T3303] vfs_get_tree+0x74/0x280 [ 182.587618][ T3303] path_mount+0xe54/0x1808 [ 182.587810][ T3303] __arm64_sys_mount+0x304/0x3dc [ 182.587988][ T3303] invoke_syscall+0x6c/0x258 [ 182.588155][ T3303] el0_svc_common.constprop.0+0xac/0x230 [ 182.588321][ T3303] do_el0_svc+0x40/0x58 [ 182.588484][ T3303] el0_svc+0x50/0x180 [ 182.588647][ T3303] el0t_64_sync_handler+0x10c/0x138 [ 182.588814][ T3303] el0t_64_sync+0x198/0x19c [ 182.589039][ T3303] [ 182.589219][ T3303] Freed by task 3302: [ 182.589383][ T3303] kasan_save_stack+0x3c/0x64 [ 182.589555][ T3303] kasan_save_track+0x20/0x3c [ 182.589723][ T3303] kasan_save_free_info+0x4c/0x74 [ 182.589886][ T3303] __kasan_slab_free+0x50/0x6c [ 182.590047][ T3303] kfree+0x1bc/0x444 [ 182.590210][ T3303] binderfs_evict_inode+0x238/0x2b4 [ 182.590386][ T3303] evict+0x2c0/0x67c [ 182.590559][ T3303] iput+0x3b0/0x6b4 [ 182.590727][ T3303] dentry_unlink_inode+0x208/0x46c [ 182.590899][ T3303] __dentry_kill+0x150/0x52c [ 182.591057][ T3303] shrink_dentry_list+0x114/0x3a4 [ 182.591217][ T3303] shrink_dcache_parent+0x158/0x354 [ 182.591393][ T3303] shrink_dcache_for_umount+0x88/0x304 [ 182.591551][ T3303] generic_shutdown_super+0x60/0x2e8 [ 182.591728][ T3303] kill_litter_super+0x68/0xa4 [ 182.591937][ T3303] binderfs_kill_super+0x38/0x88 [ 182.592114][ T3303] deactivate_locked_super+0x98/0x17c [ 182.592281][ T3303] deactivate_super+0xb0/0xd4 [ 182.592452][ T3303] cleanup_mnt+0x198/0x424 [ 182.592627][ T3303] __cleanup_mnt+0x14/0x20 [ 182.592806][ T3303] task_work_run+0x128/0x210 [ 182.592993][ T3303] do_exit+0x7ac/0x1f68 [ 182.593183][ T3303] do_group_exit+0xa4/0x208 [ 182.593346][ T3303] get_signal+0x1b00/0x1ba8 [ 182.593513][ T3303] do_signal+0x160/0x620 [ 182.593677][ T3303] do_notify_resume+0x18c/0x258 [ 182.593854][ T3303] el0_svc+0x100/0x180 [ 182.594015][ T3303] el0t_64_sync_handler+0x10c/0x138 [ 182.594185][ T3303] el0t_64_sync+0x198/0x19c [ 182.594378][ T3303] [ 182.594614][ T3303] The buggy address belongs to the object at ffff000018765800 [ 182.594614][ T3303] which belongs to the cache kmalloc-512 of size 512 [ 182.594906][ T3303] The buggy address is located 8 bytes inside of [ 182.594906][ T3303] freed 512-byte region [ffff000018765800, ffff000018765a00) [ 182.595095][ T3303] [ 182.595335][ T3303] The buggy address belongs to the physical page: [ 182.596045][ T3303] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x58764 [ 182.596981][ T3303] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 182.597253][ T3303] anon flags: 0x1ffc00000000040(head|node=0|zone=0|lastcpupid=0x7ff) [ 182.598052][ T3303] page_type: f5(slab) [ 182.598721][ T3303] raw: 01ffc00000000040 ffff00000dc01c80 0000000000000000 dead000000000001 [ 182.598923][ T3303] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 182.599206][ T3303] head: 01ffc00000000040 ffff00000dc01c80 0000000000000000 dead000000000001 [ 182.599378][ T3303] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 182.599542][ T3303] head: 01ffc00000000002 fffffdffc061d901 00000000ffffffff 00000000ffffffff [ 182.599710][ T3303] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 182.599970][ T3303] page dumped because: kasan: bad access detected [ 182.600147][ T3303] [ 182.600292][ T3303] Memory state around the buggy address: [ 182.600892][ T3303] ffff000018765700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 182.601131][ T3303] ffff000018765780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 182.601335][ T3303] >ffff000018765800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 182.601533][ T3303] ^ [ 182.601787][ T3303] ffff000018765880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 182.601964][ T3303] ffff000018765900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 182.602234][ T3303] ================================================================== [ 182.691285][ T30] audit: type=1400 audit(182.450:127): avc: denied { mount } for pid=3538 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 182.728029][ T3303] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 182.962704][ T30] audit: type=1400 audit(182.720:128): avc: denied { create } for pid=3540 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=user_namespace permissive=1 [ 182.985850][ T30] audit: type=1400 audit(182.740:129): avc: denied { sys_admin } for pid=3540 comm="syz-executor" capability=21 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1 [ 183.538999][ T30] audit: type=1400 audit(183.300:130): avc: denied { mounton } for pid=3541 comm="syz-executor" path="/syzkaller.onwVnW/syz-tmp" dev="vda" ino=1746 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 183.544473][ T30] audit: type=1400 audit(183.300:131): avc: denied { mounton } for pid=3541 comm="syz-executor" path="/syzkaller.onwVnW/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 183.580272][ T30] audit: type=1400 audit(183.340:132): avc: denied { sys_chroot } for pid=3541 comm="syz-executor" capability=18 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1 [ 183.683522][ T3541] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. VM DIAGNOSIS: 07:45:32 Registers: info registers vcpu 0 CPU#0 PC=ffff80008038cfb0 X00=ffff800085800780 X01=1ffff00011a7b64b X02=ffff000016ef0000 X03=0000000000000008 X04=ffff000016ef0000 X05=dfff800000000000 X06=ffff600003542dab X07=0000000000000001 X08=ffff00001aa16d5f X09=dfff800000000000 X10=ffff600003542dab X11=1fffe00003542dab X12=ffff600003542dac X13=0000000000000000 X14=1201160044910f02 X15=18509d2f48419a58 X16=48ca00000d47ffff X17=0376ba9966423303 X18=ffff00001aa16c90 X19=ffff8000870d3098 X20=ffff00001689f110 X21=ffff800080007700 X22=ffff00001689f110 X23=1fffe00003542d90 X24=ffff00001aa16c80 X25=ffff00001aa16c80 X26=0000000000000000 X27=0000000000000000 X28=dfff800000000000 X29=ffff800080007510 X30=ffff800084a03c48 SP=ffff800080007450 PSTATE=00000005 ---- EL1h FPCR=00000000 FPSR=00000000 Q00=2525252525252525:2525252525252525 Q01=63206f742064656c:6961460064252f68 Q02=f00ff00ff00ff00f:f00ff00ff00ff00f Q03=0000000000000000:0000000f000f0000 Q04=f00ff00ff00ff00f:f00ff00ff00ff00f Q05=00000000000f0f00:00000000000f0f00 Q06=000000000000c00c:000000000000c00c Q07=0000aaab01464790:000002da00000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000002000:0000000000000000 Q17=000000000000000b:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff80008029e348 X00=0000000000000001 X01=0000000000000000 X02=0000000000000003 X03=1fffe0000d41aa08 X04=ffff7000111835da X05=ffff800088c1aec8 X06=ffff7000111835d9 X07=0000000000000001 X08=ffff800088c1aecb X09=dfff800000000000 X10=ffff7000111835d9 X11=1ffff000111835d9 X12=ffff7000111835da X13=0000000000000000 X14=00004c4b40000000 X15=0000000000000000 X16=ffff80008d440000 X17=ffff7fffe3066000 X18=0000000000000000 X19=ffff00000ea23c80 X20=1ffff00011a88f64 X21=ffff00000e325100 X22=ffff00000ea243e8 X23=ffff80008d947a90 X24=1fffe0000d41894a X25=1fffe0000d41894c X26=ffff00006a0c4a60 X27=00000000ffffd20c X28=ffff00006a0c4a68 X29=ffff80008d447c50 X30=ffff8000803e77dc SP=ffff80008d447bd0 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=2c2c2c2c2c2c2c2c:2c2c2c2c2c2c2c2c Q01=0065770075253a73:2520277325272067 Q02=c000000c00000000:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=3003300330033003:3003300330033003 Q05=f00ff00ff00ff00f:f00ff00ff00ff00f Q06=c00c000000000000:c00c000000000000 Q07=0000aaab01464790:000002da00000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000002000:0000000000000000 Q17=000000000000000b:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000