last executing test programs:

19.447776ms ago: executing program 0 (id=1):
swapoff$auto(&(0x7f0000000000))

0s ago: executing program 0 (id=5):
timer_settime(0x0, 0x0, &(0x7f0000000000), 0x0)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.219' (ED25519) to the list of known hosts.
[   65.259129][ T5819] cgroup: Unknown subsys name 'net'
[   65.379339][ T5819] cgroup: Unknown subsys name 'cpuset'
[   65.387280][ T5819] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   66.688370][ T5819] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   68.186761][ T5831] ==================================================================
[   68.194966][ T5831] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[   68.202738][ T5831] Write of size 8 at addr ffff888144bfe008 by task syz-executor/5831
[   68.210847][ T5831] 
[   68.213201][ T5831] CPU: 0 UID: 0 PID: 5831 Comm: syz-executor Not tainted 6.13.0-syzkaller-09338-g05dbaf8dd8bf #0
[   68.213227][ T5831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   68.213247][ T5831] Call Trace:
[   68.213260][ T5831]  <TASK>
[   68.213273][ T5831]  dump_stack_lvl+0x116/0x1f0
[   68.213314][ T5831]  print_report+0xc3/0x620
[   68.213340][ T5831]  ? __virt_addr_valid+0x5e/0x590
[   68.213359][ T5831]  ? __phys_addr+0xc6/0x150
[   68.213379][ T5831]  kasan_report+0xd9/0x110
[   68.213402][ T5831]  ? binder_add_device+0xa4/0xb0
[   68.213435][ T5831]  ? binder_add_device+0xa4/0xb0
[   68.213469][ T5831]  binder_add_device+0xa4/0xb0
[   68.213498][ T5831]  binderfs_binder_device_create.isra.0+0x8ec/0xad0
[   68.213528][ T5831]  binderfs_fill_super+0x848/0x1240
[   68.213555][ T5831]  ? __pfx_binderfs_fill_super+0x10/0x10
[   68.213588][ T5831]  ? shrinker_register+0x1a8/0x260
[   68.213619][ T5831]  ? sget_fc+0x488/0xb90
[   68.213639][ T5831]  ? apparmor_capable+0x114/0x1d0
[   68.213669][ T5831]  ? __pfx_set_anon_super_fc+0x10/0x10
[   68.213711][ T5831]  ? __pfx_binderfs_fill_super+0x10/0x10
[   68.213735][ T5831]  get_tree_nodev+0xda/0x190
[   68.213755][ T5831]  vfs_get_tree+0x8b/0x340
[   68.213782][ T5831]  path_mount+0x6e1/0x1f00
[   68.213807][ T5831]  ? kmem_cache_free+0x2e2/0x4d0
[   68.213835][ T5831]  ? __pfx_path_mount+0x10/0x10
[   68.213861][ T5831]  ? putname+0x13c/0x180
[   68.213889][ T5831]  __x64_sys_mount+0x28f/0x310
[   68.213914][ T5831]  ? __pfx___x64_sys_mount+0x10/0x10
[   68.213944][ T5831]  do_syscall_64+0xcd/0x250
[   68.213968][ T5831]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.213999][ T5831] RIP: 0033:0x7f7d35d8e54a
[   68.214016][ T5831] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   68.214037][ T5831] RSP: 002b:00007ffdce499208 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   68.214058][ T5831] RAX: ffffffffffffffda RBX: 00007f7d35e0e663 RCX: 00007f7d35d8e54a
[   68.214073][ T5831] RDX: 00007f7d35e1dda7 RSI: 00007f7d35e0e663 RDI: 00007f7d35e1dda7
[   68.214088][ T5831] RBP: 00007f7d35e0e8ac R08: 0000000000000000 R09: 00000000000001ff
[   68.214102][ T5831] R10: 0000000000000000 R11: 0000000000000246 R12: 00005555731b04a8
[   68.214116][ T5831] R13: 00007ffdce4992b8 R14: 0000000000000009 R15: 0000000000000000
[   68.214136][ T5831]  </TASK>
[   68.214143][ T5831] 
[   68.448704][ T5831] Allocated by task 5828:
[   68.453029][ T5831]  kasan_save_stack+0x33/0x60
[   68.457716][ T5831]  kasan_save_track+0x14/0x30
[   68.462398][ T5831]  __kasan_kmalloc+0xaa/0xb0
[   68.466984][ T5831]  binderfs_binder_device_create.isra.0+0x17a/0xad0
[   68.473587][ T5831]  binderfs_fill_super+0x848/0x1240
[   68.478872][ T5831]  get_tree_nodev+0xda/0x190
[   68.483479][ T5831]  vfs_get_tree+0x8b/0x340
[   68.487897][ T5831]  path_mount+0x6e1/0x1f00
[   68.492397][ T5831]  __x64_sys_mount+0x28f/0x310
[   68.497156][ T5831]  do_syscall_64+0xcd/0x250
[   68.501750][ T5831]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.507646][ T5831] 
[   68.510064][ T5831] Freed by task 5828:
[   68.514138][ T5831]  kasan_save_stack+0x33/0x60
[   68.518824][ T5831]  kasan_save_track+0x14/0x30
[   68.523499][ T5831]  kasan_save_free_info+0x3b/0x60
[   68.528531][ T5831]  __kasan_slab_free+0x51/0x70
[   68.533292][ T5831]  kfree+0x2c4/0x4d0
[   68.537196][ T5831]  binderfs_evict_inode+0x1e0/0x250
[   68.542390][ T5831]  evict+0x409/0x960
[   68.546285][ T5831]  iput+0x52a/0x890
[   68.550089][ T5831]  dentry_unlink_inode+0x29c/0x480
[   68.555198][ T5831]  __dentry_kill+0x1d0/0x600
[   68.559787][ T5831]  shrink_dentry_list+0x140/0x5d0
[   68.564823][ T5831]  shrink_dcache_parent+0xe2/0x530
[   68.569992][ T5831]  shrink_dcache_for_umount+0xa1/0x3e0
[   68.575455][ T5831]  generic_shutdown_super+0x6c/0x390
[   68.580749][ T5831]  kill_litter_super+0x70/0xa0
[   68.585514][ T5831]  binderfs_kill_super+0x3b/0xa0
[   68.590444][ T5831]  deactivate_locked_super+0xbe/0x1a0
[   68.595832][ T5831]  deactivate_super+0xde/0x100
[   68.600684][ T5831]  cleanup_mnt+0x222/0x450
[   68.605095][ T5831]  task_work_run+0x14e/0x250
[   68.609683][ T5831]  do_exit+0xad8/0x2d70
[   68.613834][ T5831]  do_group_exit+0xd3/0x2a0
[   68.618328][ T5831]  get_signal+0x2576/0x2610
[   68.622833][ T5831]  arch_do_signal_or_restart+0x90/0x7e0
[   68.628385][ T5831]  syscall_exit_to_user_mode+0x150/0x2a0
[   68.634012][ T5831]  do_syscall_64+0xda/0x250
[   68.638507][ T5831]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.644401][ T5831] 
[   68.646718][ T5831] The buggy address belongs to the object at ffff888144bfe000
[   68.646718][ T5831]  which belongs to the cache kmalloc-512 of size 512
[   68.660770][ T5831] The buggy address is located 8 bytes inside of
[   68.660770][ T5831]  freed 512-byte region [ffff888144bfe000, ffff888144bfe200)
[   68.674399][ T5831] 
[   68.676864][ T5831] The buggy address belongs to the physical page:
[   68.683275][ T5831] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x144bfc
[   68.692114][ T5831] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   68.700612][ T5831] flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
[   68.708354][ T5831] page_type: f5(slab)
[   68.712332][ T5831] raw: 057ff00000000040 ffff88801b041c80 dead000000000100 dead000000000122
[   68.720915][ T5831] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   68.729513][ T5831] head: 057ff00000000040 ffff88801b041c80 dead000000000100 dead000000000122
[   68.738193][ T5831] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   68.746863][ T5831] head: 057ff00000000002 ffffea000512ff01 ffffffffffffffff 0000000000000000
[   68.755532][ T5831] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   68.764282][ T5831] page dumped because: kasan: bad access detected
[   68.770887][ T5831] page_owner tracks the page as allocated
[   68.776608][ T5831] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 11775710301, free_ts 0
[   68.796496][ T5831]  post_alloc_hook+0x181/0x1b0
[   68.801265][ T5831]  get_page_from_freelist+0xfce/0x2f80
[   68.806780][ T5831]  __alloc_frozen_pages_noprof+0x221/0x2470
[   68.812780][ T5831]  alloc_pages_mpol+0x1fc/0x540
[   68.817646][ T5831]  new_slab+0x23d/0x330
[   68.821799][ T5831]  ___slab_alloc+0xbfa/0x1600
[   68.826502][ T5831]  __slab_alloc.constprop.0+0x56/0xb0
[   68.831878][ T5831]  __kmalloc_cache_noprof+0xf6/0x420
[   68.837173][ T5831]  device_add+0xccf/0x1a70
[   68.841593][ T5831]  usb_hub_create_port_device+0x3a1/0xde0
[   68.847316][ T5831]  hub_probe+0x1e1e/0x3200
[   68.851737][ T5831]  usb_probe_interface+0x300/0x9c0
[   68.857026][ T5831]  really_probe+0x23e/0xa90
[   68.861724][ T5831]  __driver_probe_device+0x1de/0x440
[   68.867037][ T5831]  driver_probe_device+0x4c/0x1b0
[   68.872173][ T5831]  __device_attach_driver+0x1df/0x310
[   68.877567][ T5831] page_owner free stack trace missing
[   68.882925][ T5831] 
[   68.885244][ T5831] Memory state around the buggy address:
[   68.890963][ T5831]  ffff888144bfdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   68.899212][ T5831]  ffff888144bfdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   68.907357][ T5831] >ffff888144bfe000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.915497][ T5831]                       ^
[   68.919832][ T5831]  ffff888144bfe080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.928181][ T5831]  ffff888144bfe100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   68.936246][ T5831] ==================================================================
[   68.946370][ T5831] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   68.953695][ T5831] CPU: 0 UID: 0 PID: 5831 Comm: syz-executor Not tainted 6.13.0-syzkaller-09338-g05dbaf8dd8bf #0
[   68.964396][ T5831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   68.974469][ T5831] Call Trace:
[   68.977776][ T5831]  <TASK>
[   68.980903][ T5831]  dump_stack_lvl+0x3d/0x1f0
[   68.985528][ T5831]  panic+0x71d/0x800
[   68.989612][ T5831]  ? __pfx_panic+0x10/0x10
[   68.994074][ T5831]  ? irqentry_exit+0x3b/0x90
[   68.998682][ T5831]  ? lockdep_hardirqs_on+0x7c/0x110
[   69.003909][ T5831]  ? preempt_schedule_thunk+0x1a/0x30
[   69.009302][ T5831]  ? preempt_schedule_common+0x44/0xc0
[   69.014852][ T5831]  ? check_panic_on_warn+0x1f/0xb0
[   69.019999][ T5831]  check_panic_on_warn+0xab/0xb0
[   69.024936][ T5831]  end_report+0x117/0x180
[   69.029293][ T5831]  kasan_report+0xe9/0x110
[   69.033721][ T5831]  ? binder_add_device+0xa4/0xb0
[   69.038759][ T5831]  ? binder_add_device+0xa4/0xb0
[   69.043707][ T5831]  binder_add_device+0xa4/0xb0
[   69.048650][ T5831]  binderfs_binder_device_create.isra.0+0x8ec/0xad0
[   69.055244][ T5831]  binderfs_fill_super+0x848/0x1240
[   69.060533][ T5831]  ? __pfx_binderfs_fill_super+0x10/0x10
[   69.066178][ T5831]  ? shrinker_register+0x1a8/0x260
[   69.071388][ T5831]  ? sget_fc+0x488/0xb90
[   69.075623][ T5831]  ? apparmor_capable+0x114/0x1d0
[   69.080661][ T5831]  ? __pfx_set_anon_super_fc+0x10/0x10
[   69.086126][ T5831]  ? __pfx_binderfs_fill_super+0x10/0x10
[   69.091771][ T5831]  get_tree_nodev+0xda/0x190
[   69.096533][ T5831]  vfs_get_tree+0x8b/0x340
[   69.101038][ T5831]  path_mount+0x6e1/0x1f00
[   69.105455][ T5831]  ? kmem_cache_free+0x2e2/0x4d0
[   69.110483][ T5831]  ? __pfx_path_mount+0x10/0x10
[   69.115337][ T5831]  ? putname+0x13c/0x180
[   69.119593][ T5831]  __x64_sys_mount+0x28f/0x310
[   69.124364][ T5831]  ? __pfx___x64_sys_mount+0x10/0x10
[   69.129663][ T5831]  do_syscall_64+0xcd/0x250
[   69.134173][ T5831]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.140070][ T5831] RIP: 0033:0x7f7d35d8e54a
[   69.144488][ T5831] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   69.164102][ T5831] RSP: 002b:00007ffdce499208 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   69.172522][ T5831] RAX: ffffffffffffffda RBX: 00007f7d35e0e663 RCX: 00007f7d35d8e54a
[   69.180667][ T5831] RDX: 00007f7d35e1dda7 RSI: 00007f7d35e0e663 RDI: 00007f7d35e1dda7
[   69.188634][ T5831] RBP: 00007f7d35e0e8ac R08: 0000000000000000 R09: 00000000000001ff
[   69.196600][ T5831] R10: 0000000000000000 R11: 0000000000000246 R12: 00005555731b04a8
[   69.204650][ T5831] R13: 00007ffdce4992b8 R14: 0000000000000009 R15: 0000000000000000
[   69.212823][ T5831]  </TASK>
[   69.216198][ T5831] Kernel Offset: disabled
[   69.220529][ T5831] Rebooting in 86400 seconds..