last executing test programs: 5.001048939s ago: executing program 0 (id=163): truncate(&(0x7f0000000000), 0x0) 4.852771518s ago: executing program 0 (id=165): clock_adjtime(0x0, &(0x7f0000000000)) 4.640254751s ago: executing program 0 (id=166): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/bifrost', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/bifrost', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/bifrost', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/bifrost', 0x800, 0x0) 4.48586242s ago: executing program 0 (id=169): socket$inet_sctp(0x2, 0x1, 0x84) 4.30990984s ago: executing program 0 (id=170): rt_sigreturn() 4.30958099s ago: executing program 1 (id=171): process_madvise(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0) 3.96413942s ago: executing program 1 (id=172): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/full', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/full', 0x800, 0x0) 3.775241221s ago: executing program 1 (id=173): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ppp', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ppp', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ppp', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ppp', 0x800, 0x0) 3.584869692s ago: executing program 1 (id=174): socket$rds(0x15, 0x5, 0x0) 3.319896818s ago: executing program 1 (id=175): syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) 399.395027ms ago: executing program 0 (id=178): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-monitor', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-monitor', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm-monitor', 0x800, 0x0) 0s ago: executing program 1 (id=177): openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/mls', 0x0, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:49454' (ED25519) to the list of known hosts. [ 167.258497][ T30] audit: type=1400 audit(166.900:48): avc: denied { name_bind } for pid=3303 comm="sshd-session" src=30005 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 167.654852][ T30] audit: type=1400 audit(167.300:49): avc: denied { execute } for pid=3304 comm="sh" name="syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 167.667393][ T30] audit: type=1400 audit(167.310:50): avc: denied { execute_no_trans } for pid=3304 comm="sh" path="/syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 173.279321][ T30] audit: type=1400 audit(172.920:51): avc: denied { mounton } for pid=3304 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1868 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 173.296482][ T30] audit: type=1400 audit(172.930:52): avc: denied { mount } for pid=3304 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 173.345849][ T3304] cgroup: Unknown subsys name 'net' [ 173.377822][ T30] audit: type=1400 audit(173.020:53): avc: denied { unmount } for pid=3304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 173.876661][ T3304] cgroup: Unknown subsys name 'cpuset' [ 173.911304][ T3304] cgroup: Unknown subsys name 'rlimit' [ 174.338527][ T30] audit: type=1400 audit(173.980:54): avc: denied { setattr } for pid=3304 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 174.345317][ T30] audit: type=1400 audit(173.980:55): avc: denied { create } for pid=3304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 174.352010][ T30] audit: type=1400 audit(173.990:56): avc: denied { write } for pid=3304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 174.355652][ T30] audit: type=1400 audit(173.990:57): avc: denied { module_request } for pid=3304 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 174.542609][ T30] audit: type=1400 audit(174.190:58): avc: denied { read } for pid=3304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 174.573942][ T30] audit: type=1400 audit(174.220:59): avc: denied { mounton } for pid=3304 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 174.579921][ T30] audit: type=1400 audit(174.220:60): avc: denied { mount } for pid=3304 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 175.233499][ T3307] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 175.413263][ T3304] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 197.695390][ T30] kauditd_printk_skb: 4 callbacks suppressed [ 197.703620][ T30] audit: type=1400 audit(197.340:65): avc: denied { execmem } for pid=3308 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 197.806314][ T30] audit: type=1400 audit(197.450:66): avc: denied { read } for pid=3310 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 197.809539][ T30] audit: type=1400 audit(197.450:67): avc: denied { open } for pid=3310 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 197.825968][ T30] audit: type=1400 audit(197.470:68): avc: denied { mounton } for pid=3310 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 198.677445][ T30] audit: type=1400 audit(198.320:69): avc: denied { mount } for pid=3311 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 198.756450][ T30] audit: type=1400 audit(198.400:70): avc: denied { mounton } for pid=3311 comm="syz-executor" path="/syzkaller.KoHDIM/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 198.801689][ T30] audit: type=1400 audit(198.430:71): avc: denied { mount } for pid=3311 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 198.825822][ T30] audit: type=1400 audit(198.470:72): avc: denied { mounton } for pid=3311 comm="syz-executor" path="/syzkaller.KoHDIM/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 198.849558][ T30] audit: type=1400 audit(198.490:73): avc: denied { mounton } for pid=3311 comm="syz-executor" path="/syzkaller.KoHDIM/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2650 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 198.893702][ T30] audit: type=1400 audit(198.540:74): avc: denied { unmount } for pid=3311 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 203.242929][ T30] kauditd_printk_skb: 14 callbacks suppressed [ 203.243754][ T30] audit: type=1400 audit(202.880:89): avc: denied { read } for pid=3345 comm="syz.0.31" name="uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 203.244128][ T30] audit: type=1400 audit(202.880:90): avc: denied { open } for pid=3345 comm="syz.0.31" path="/dev/uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 203.244518][ T30] audit: type=1400 audit(202.880:91): avc: denied { write } for pid=3345 comm="syz.0.31" name="uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 203.604373][ T30] audit: type=1400 audit(203.250:92): avc: denied { create } for pid=3349 comm="syz.1.35" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 203.968210][ T30] audit: type=1400 audit(203.610:93): avc: denied { create } for pid=3353 comm="syz.0.38" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ieee802154_socket permissive=1 [ 205.394053][ T30] audit: type=1400 audit(205.030:94): avc: denied { read } for pid=3363 comm="syz.0.46" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 205.413930][ T30] audit: type=1400 audit(205.060:95): avc: denied { open } for pid=3363 comm="syz.0.46" path="/dev/snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 205.572144][ T30] audit: type=1400 audit(205.200:96): avc: denied { write } for pid=3363 comm="syz.0.46" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 206.919047][ T3371] mmap: syz.0.54 (3371) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 207.169675][ T30] audit: type=1400 audit(206.810:97): avc: denied { read write } for pid=3372 comm="syz.1.55" name="vhost-vsock" dev="devtmpfs" ino=714 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 207.191434][ T30] audit: type=1400 audit(206.820:98): avc: denied { open } for pid=3372 comm="syz.1.55" path="/dev/vhost-vsock" dev="devtmpfs" ino=714 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 208.484351][ T30] audit: type=1400 audit(208.130:99): avc: denied { create } for pid=3382 comm="syz.1.65" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [ 208.544774][ T30] audit: type=1400 audit(208.190:100): avc: denied { create } for pid=3383 comm="syz.0.66" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_rdma_socket permissive=1 [ 209.653268][ T30] audit: type=1400 audit(209.290:101): avc: denied { create } for pid=3390 comm="syz.0.72" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 209.658394][ T30] audit: type=1400 audit(209.300:102): avc: denied { read } for pid=3389 comm="syz.1.71" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 209.664231][ T30] audit: type=1400 audit(209.310:103): avc: denied { open } for pid=3389 comm="syz.1.71" path="/dev/autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 209.675523][ T30] audit: type=1400 audit(209.320:104): avc: denied { write } for pid=3389 comm="syz.1.71" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 210.028507][ T30] audit: type=1400 audit(209.670:105): avc: denied { read } for pid=3391 comm="syz.0.74" name="fuse" dev="devtmpfs" ino=92 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 210.042637][ T30] audit: type=1400 audit(209.680:106): avc: denied { open } for pid=3391 comm="syz.0.74" path="/dev/fuse" dev="devtmpfs" ino=92 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 210.043986][ T30] audit: type=1400 audit(209.680:107): avc: denied { write } for pid=3391 comm="syz.0.74" name="fuse" dev="devtmpfs" ino=92 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 218.037714][ T30] audit: type=1400 audit(217.680:108): avc: denied { create } for pid=3429 comm="syz.0.110" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=nfc_socket permissive=1 [ 218.459857][ T30] audit: type=1400 audit(218.100:109): avc: denied { create } for pid=3431 comm="syz.0.112" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 219.383357][ T30] audit: type=1400 audit(219.030:110): avc: denied { read } for pid=3440 comm="syz.0.121" name="dlm-control" dev="devtmpfs" ino=87 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 219.385868][ T30] audit: type=1400 audit(219.030:111): avc: denied { open } for pid=3440 comm="syz.0.121" path="/dev/dlm-control" dev="devtmpfs" ino=87 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 219.397467][ T30] audit: type=1400 audit(219.030:112): avc: denied { write } for pid=3440 comm="syz.0.121" name="dlm-control" dev="devtmpfs" ino=87 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 220.729076][ T30] audit: type=1400 audit(220.350:113): avc: denied { create } for pid=3447 comm="syz.0.127" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=icmp_socket permissive=1 [ 221.207740][ T30] audit: type=1400 audit(220.850:114): avc: denied { create } for pid=3451 comm="syz.1.131" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=phonet_socket permissive=1 [ 222.529758][ T30] audit: type=1400 audit(222.170:115): avc: denied { create } for pid=3462 comm="syz.1.140" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rose_socket permissive=1 [ 222.758586][ T30] audit: type=1400 audit(222.400:116): avc: denied { read } for pid=3464 comm="syz.0.142" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 222.778657][ T30] audit: type=1400 audit(222.420:117): avc: denied { open } for pid=3464 comm="syz.0.142" path="/dev/dri/card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 223.213404][ T30] kauditd_printk_skb: 1 callbacks suppressed [ 223.216266][ T30] audit: type=1400 audit(222.860:119): avc: denied { create } for pid=3466 comm="syz.1.144" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netrom_socket permissive=1 [ 226.259538][ T30] audit: type=1400 audit(225.900:120): avc: denied { create } for pid=3493 comm="syz.0.169" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=sctp_socket permissive=1 [ 227.211759][ T30] audit: type=1400 audit(226.830:121): avc: denied { create } for pid=3498 comm="syz.1.174" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rds_socket permissive=1 [ 230.564558][ T30] audit: type=1400 audit(230.210:122): avc: denied { mounton } for pid=3503 comm="syz-executor" path="/syzkaller.iN7D7B/syz-tmp" dev="vda" ino=1878 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 230.582600][ T30] audit: type=1400 audit(230.220:123): avc: denied { mount } for pid=3503 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 230.632641][ T30] audit: type=1400 audit(230.270:124): avc: denied { mounton } for pid=3503 comm="syz-executor" path="/dev/gadgetfs" dev="devtmpfs" ino=1545 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 231.093737][ T3310] ================================================================== [ 231.095123][ T3310] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 231.096647][ T3310] Write of size 8 at addr ffff000018ad1008 by task syz-executor/3310 [ 231.096854][ T3310] [ 231.097950][ T3310] CPU: 0 UID: 0 PID: 3310 Comm: syz-executor Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT [ 231.098056][ T3310] Hardware name: linux,dummy-virt (DT) [ 231.098362][ T3310] Call trace: [ 231.098547][ T3310] show_stack+0x18/0x24 (C) [ 231.098697][ T3310] dump_stack_lvl+0xa4/0xf4 [ 231.098762][ T3310] print_report+0xf4/0x60c [ 231.098813][ T3310] kasan_report+0xc8/0x108 [ 231.098856][ T3310] __asan_report_store8_noabort+0x20/0x2c [ 231.098896][ T3310] binderfs_evict_inode+0x2ac/0x2b4 [ 231.098938][ T3310] evict+0x2c0/0x67c [ 231.098979][ T3310] iput+0x3b0/0x6b4 [ 231.099016][ T3310] dentry_unlink_inode+0x208/0x46c [ 231.099058][ T3310] __dentry_kill+0x150/0x52c [ 231.099098][ T3310] shrink_dentry_list+0x114/0x3a4 [ 231.099139][ T3310] shrink_dcache_parent+0x158/0x354 [ 231.099182][ T3310] shrink_dcache_for_umount+0x88/0x304 [ 231.099225][ T3310] generic_shutdown_super+0x60/0x2e8 [ 231.099270][ T3310] kill_litter_super+0x68/0xa4 [ 231.099314][ T3310] binderfs_kill_super+0x38/0x88 [ 231.099355][ T3310] deactivate_locked_super+0x98/0x17c [ 231.099399][ T3310] deactivate_super+0xb0/0xd4 [ 231.099440][ T3310] cleanup_mnt+0x198/0x424 [ 231.099488][ T3310] __cleanup_mnt+0x14/0x20 [ 231.099529][ T3310] task_work_run+0x128/0x210 [ 231.099569][ T3310] do_exit+0x7ac/0x1f68 [ 231.099611][ T3310] do_group_exit+0xa4/0x208 [ 231.099649][ T3310] get_signal+0x1b00/0x1ba8 [ 231.099692][ T3310] do_signal+0x230/0x620 [ 231.099729][ T3310] do_notify_resume+0x18c/0x258 [ 231.099771][ T3310] el0_interrupt+0x140/0x1e0 [ 231.099815][ T3310] __el0_irq_handler_common+0x18/0x24 [ 231.099853][ T3310] el0t_32_irq_handler+0x10/0x1c [ 231.099890][ T3310] el0t_32_irq+0x19c/0x1a0 [ 231.100178][ T3310] [ 231.101199][ T3310] Allocated by task 3311: [ 231.101482][ T3310] kasan_save_stack+0x3c/0x64 [ 231.101611][ T3310] kasan_save_track+0x20/0x3c [ 231.101699][ T3310] kasan_save_alloc_info+0x40/0x54 [ 231.101778][ T3310] __kasan_kmalloc+0xb8/0xbc [ 231.101891][ T3310] __kmalloc_cache_noprof+0x1b0/0x3cc [ 231.102083][ T3310] binderfs_binder_device_create.isra.0+0x140/0x9a0 [ 231.102267][ T3310] binderfs_fill_super+0x69c/0xed4 [ 231.102468][ T3310] get_tree_nodev+0xac/0x148 [ 231.102647][ T3310] binderfs_fs_context_get_tree+0x18/0x24 [ 231.102841][ T3310] vfs_get_tree+0x74/0x280 [ 231.103028][ T3310] path_mount+0xe54/0x1808 [ 231.103221][ T3310] __arm64_sys_mount+0x304/0x3dc [ 231.103411][ T3310] invoke_syscall+0x6c/0x258 [ 231.103608][ T3310] el0_svc_common.constprop.0+0xac/0x230 [ 231.103789][ T3310] do_el0_svc_compat+0x40/0x68 [ 231.103958][ T3310] el0_svc_compat+0x4c/0x17c [ 231.104120][ T3310] el0t_32_sync_handler+0x98/0x13c [ 231.104345][ T3310] el0t_32_sync+0x19c/0x1a0 [ 231.104601][ T3310] [ 231.104785][ T3310] Freed by task 3311: [ 231.104981][ T3310] kasan_save_stack+0x3c/0x64 [ 231.105176][ T3310] kasan_save_track+0x20/0x3c [ 231.105368][ T3310] kasan_save_free_info+0x4c/0x74 [ 231.105558][ T3310] __kasan_slab_free+0x50/0x6c [ 231.105744][ T3310] kfree+0x1bc/0x444 [ 231.105910][ T3310] binderfs_evict_inode+0x238/0x2b4 [ 231.106071][ T3310] evict+0x2c0/0x67c [ 231.106244][ T3310] iput+0x3b0/0x6b4 [ 231.106409][ T3310] dentry_unlink_inode+0x208/0x46c [ 231.106596][ T3310] __dentry_kill+0x150/0x52c [ 231.106776][ T3310] shrink_dentry_list+0x114/0x3a4 [ 231.106955][ T3310] shrink_dcache_parent+0x158/0x354 [ 231.107140][ T3310] shrink_dcache_for_umount+0x88/0x304 [ 231.107332][ T3310] generic_shutdown_super+0x60/0x2e8 [ 231.107530][ T3310] kill_litter_super+0x68/0xa4 [ 231.107719][ T3310] binderfs_kill_super+0x38/0x88 [ 231.107904][ T3310] deactivate_locked_super+0x98/0x17c [ 231.108095][ T3310] deactivate_super+0xb0/0xd4 [ 231.108308][ T3310] cleanup_mnt+0x198/0x424 [ 231.108505][ T3310] __cleanup_mnt+0x14/0x20 [ 231.108695][ T3310] task_work_run+0x128/0x210 [ 231.108876][ T3310] do_exit+0x7ac/0x1f68 [ 231.109090][ T3310] do_group_exit+0xa4/0x208 [ 231.109297][ T3310] get_signal+0x1b00/0x1ba8 [ 231.109493][ T3310] do_signal+0x160/0x620 [ 231.109675][ T3310] do_notify_resume+0x18c/0x258 [ 231.109861][ T3310] el0_svc_compat+0xfc/0x17c [ 231.110123][ T3310] el0t_32_sync_handler+0x98/0x13c [ 231.110368][ T3310] el0t_32_sync+0x19c/0x1a0 [ 231.110590][ T3310] [ 231.110850][ T3310] The buggy address belongs to the object at ffff000018ad1000 [ 231.110850][ T3310] which belongs to the cache kmalloc-512 of size 512 [ 231.111191][ T3310] The buggy address is located 8 bytes inside of [ 231.111191][ T3310] freed 512-byte region [ffff000018ad1000, ffff000018ad1200) [ 231.111401][ T3310] [ 231.111688][ T3310] The buggy address belongs to the physical page: [ 231.112414][ T3310] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff000018ad1c00 pfn:0x58ad0 [ 231.113383][ T3310] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 231.113691][ T3310] flags: 0x1ffc00000000240(workingset|head|node=0|zone=0|lastcpupid=0x7ff) [ 231.114552][ T3310] page_type: f5(slab) [ 231.115286][ T3310] raw: 01ffc00000000240 ffff00000dc01c80 fffffdffc062d010 fffffdffc04ece10 [ 231.115515][ T3310] raw: ffff000018ad1c00 000000000010000d 00000000f5000000 0000000000000000 [ 231.115821][ T3310] head: 01ffc00000000240 ffff00000dc01c80 fffffdffc062d010 fffffdffc04ece10 [ 231.116005][ T3310] head: ffff000018ad1c00 000000000010000d 00000000f5000000 0000000000000000 [ 231.116208][ T3310] head: 01ffc00000000002 fffffdffc062b401 00000000ffffffff 00000000ffffffff [ 231.116408][ T3310] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 231.116659][ T3310] page dumped because: kasan: bad access detected [ 231.116852][ T3310] [ 231.117011][ T3310] Memory state around the buggy address: [ 231.117687][ T3310] ffff000018ad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 231.117940][ T3310] ffff000018ad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 231.118152][ T3310] >ffff000018ad1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 231.118350][ T3310] ^ [ 231.118636][ T3310] ffff000018ad1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 231.118800][ T3310] ffff000018ad1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 231.119055][ T3310] ================================================================== [ 231.193486][ T3310] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 231.411416][ T30] audit: type=1400 audit(231.050:125): avc: denied { sys_module } for pid=3507 comm="syz-executor" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 VM DIAGNOSIS: 14:31:40 Registers: info registers vcpu 0 CPU#0 PC=ffff80008447a654 X00=ffff00000e174a00 X01=0000000000000003 X02=1fffe00001eb43c9 X03=0000000000000010 X04=ffff60000328388d X05=ffff00001941c460 X06=ffff60000328388c X07=0000000000000001 X08=ffff00001941c463 X09=dfff800000000000 X10=ffff60000328388c X11=1fffe0000328388c X12=ffff60000328388d X13=0000000000000000 X14=1fffe00002e8ec65 X15=185080ebfa0d8292 X16=f9930000c966ffff X17=09a313bebf06430c X18=ffff00001420b140 X19=ffff800080005e50 X20=1ffff00010000bc6 X21=ffff7fffe3043000 X22=dead000000000100 X23=0000000000000001 X24=0000000000000000 X25=ffff80008143d3ec X26=0000000000000000 X27=00000000000000c0 X28=dfff800000000000 X29=ffff800080005d80 X30=ffff800080313bb0 SP=ffff800080005d80 PSTATE=60000005 -ZC- EL1h FPCR=00000000 FPSR=00000000 Q00=2525252525252525:2525252525252525 Q01=6572207265767265:730073250a0d0a0d Q02=6e5f3865726f7473:5f74726f7065725f Q03=0000000000000000:00ff00ff00000000 Q04=0000000000000000:000000000f0f0000 Q05=72656c6c616b7a79:732d3563722d302e Q06=203a29323a303332:2e39332874696475 Q07=2035393237363934:3932343d64697561 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffe1b5d420:0000ffffe1b5d420 Q17=ffffff80ffffffd8:0000ffffe1b5d3f0 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff80008024c840 X00=dfff800000000000 X01=1fffe0000d41655f X02=ffff60000259d127 X03=ffff000012ce8940 X04=ffff700014224fa5 X05=ffff8000a1127d20 X06=ffff80008024c580 X07=0000000000000001 X08=ffff00001318dac0 X09=dfff800000000000 X10=ffff700014224fa4 X11=1ffff00014224fa4 X12=ffff8000872bda60 X13=0000000000000000 X14=ffff00006a0c05b0 X15=0000000000000004 X16=ffff80008d440000 X17=ffff7fffe3066000 X18=0000000000000029 X19=1ffff00014224fa0 X20=0000000000000000 X21=ffff8000870c13a8 X22=dfff800000000000 X23=0000000000000000 X24=0000000000000000 X25=ffff80008024c580 X26=0000000000000000 X27=0000000000000000 X28=ffff8000a1127ba0 X29=ffff8000a1127ac0 X30=ffff800080313bb0 SP=ffff8000a11279f0 PSTATE=60000005 -ZC- EL1h FPCR=00000000 FPSR=00000000 Q00=2525252525252525:2525252525252525 Q01=742064656c696146:0000000000006425 Q02=0000000000000000:ffffffffffffff00 Q03=0000000000000000:ffffffffffff00ff Q04=0000000000000000:00000000ffffff0f Q05=0000000000000000:30000000cccccccc Q06=0000000000000073:0000aaaaf1eaa3e0 Q07=0000000000000074:0000aaaaf1ea7620 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffe35a4770:0000ffffe35a4770 Q17=ffffff80ffffffd8:0000ffffe35a4740 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000