last executing test programs:

3.809521746s ago: executing program 1 (id=86):
socket$igmp6(0xa, 0x3, 0x2)

3.620416552s ago: executing program 1 (id=88):
syz_open_dev$I2C(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$I2C(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$I2C(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$I2C(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$I2C(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$I2C(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$I2C(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$I2C(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$I2C(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$I2C(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$I2C(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$I2C(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$I2C(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$I2C(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$I2C(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$I2C(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$I2C(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$I2C(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$I2C(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$I2C(&(0x7f0000000500), 0x4, 0x800)

3.457044467s ago: executing program 1 (id=91):
setrlimit(0x0, &(0x7f0000000000))

3.33716707s ago: executing program 1 (id=92):
brk(0x0)

3.152718336s ago: executing program 1 (id=94):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ndctl0', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ndctl0', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ndctl0', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ndctl0', 0x800, 0x0)

880.918534ms ago: executing program 1 (id=97):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)

538.551254ms ago: executing program 0 (id=112):
timerfd_create(0x0, 0x0)

368.516509ms ago: executing program 0 (id=113):
setresgid(0x0, 0x0, 0x0)

272.851472ms ago: executing program 0 (id=114):
getrusage(0x0, &(0x7f0000000000))

272.625292ms ago: executing program 0 (id=115):
getpgid(0x0)

130.390466ms ago: executing program 0 (id=116):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-control', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-control', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-control', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm-control', 0x800, 0x0)

0s ago: executing program 0 (id=117):
socket$l2tp6(0xa, 0x2, 0x73)

kernel console output (not intermixed with test programs):

Warning: Permanently added '[localhost]:29874' (ED25519) to the list of known hosts.
syzkaller login: [  123.912661][ T3269] cgroup: Unknown subsys name 'net'
[  124.266213][ T3269] cgroup: Unknown subsys name 'cpuset'
[  124.308349][ T3269] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[  125.359690][ T3269] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[  138.096343][ T3358] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[  143.085663][ T3401] ==================================================================
[  143.091982][ T3401] BUG: KASAN: slab-use-after-free in binder_add_device+0x14/0x2c
[  143.093626][ T3401] Write at addr f3f0000004704f08 by task syz-executor/3401
[  143.094587][ T3401] Pointer tag: [f3], memory tag: [fe]
[  143.096304][ T3401] 
[  143.097866][ T3401] CPU: 1 UID: 0 PID: 3401 Comm: syz-executor Not tainted 6.13.0-syzkaller-09147-ge2ee2e9b1590 #0
[  143.098216][ T3401] Hardware name: linux,dummy-virt (DT)
[  143.098532][ T3401] Call trace:
[  143.098745][ T3401]  show_stack+0x18/0x24 (C)
[  143.099153][ T3401]  dump_stack_lvl+0x78/0x90
[  143.099324][ T3401]  print_report+0x108/0x618
[  143.099438][ T3401]  kasan_report+0x88/0xac
[  143.099545][ T3401]  __do_kernel_fault+0x170/0x1c8
[  143.099655][ T3401]  do_tag_check_fault+0x78/0x8c
[  143.099785][ T3401]  do_mem_abort+0x44/0x94
[  143.099892][ T3401]  el1_abort+0x40/0x60
[  143.100008][ T3401]  el1h_64_sync_handler+0xa4/0x120
[  143.100139][ T3401]  el1h_64_sync+0x6c/0x70
[  143.100363][ T3401]  binder_add_device+0x14/0x2c (P)
[  143.100483][ T3401]  binderfs_fill_super+0x220/0x4f8
[  143.100592][ T3401]  get_tree_nodev+0x70/0xb8
[  143.100702][ T3401]  binderfs_fs_context_get_tree+0x18/0x24
[  143.100842][ T3401]  vfs_get_tree+0x28/0xec
[  143.100977][ T3401]  path_mount+0x3f8/0xa78
[  143.101087][ T3401]  __arm64_sys_mount+0x1d4/0x2b4
[  143.101301][ T3401]  invoke_syscall+0x48/0x110
[  143.101458][ T3401]  el0_svc_common.constprop.0+0x40/0xe0
[  143.101626][ T3401]  do_el0_svc+0x1c/0x28
[  143.101790][ T3401]  el0_svc+0x30/0xe0
[  143.101925][ T3401]  el0t_64_sync_handler+0x10c/0x138
[  143.102034][ T3401]  el0t_64_sync+0x1a4/0x1a8
[  143.102356][ T3401] 
[  143.116132][ T3401] Freed by task 3276:
[  143.116960][ T3401]  kasan_save_stack+0x3c/0x64
[  143.117719][ T3401]  save_stack_info+0x40/0x158
[  143.118355][ T3401]  kasan_save_free_info+0x18/0x24
[  143.119202][ T3401]  __kasan_slab_free+0x74/0x8c
[  143.119966][ T3401]  kfree+0xfc/0x30c
[  143.120738][ T3401]  binderfs_evict_inode+0xe4/0xf8
[  143.121647][ T3401]  evict+0xec/0x254
[  143.122374][ T3401]  iput+0xfc/0x1b8
[  143.122904][ T3401]  dentry_unlink_inode+0xc0/0x188
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[  143.123503][ T3401]  __dentry_kill+0x7c/0x1d4
[  143.124363][ T3401]  shrink_dentry_list+0x74/0xe4
[  143.124958][ T3401]  shrink_dcache_parent+0xcc/0x14c
[  143.125579][ T3401]  shrink_dcache_for_umount+0x3c/0x1c8
[  143.126231][ T3401]  generic_shutdown_super+0x24/0x100
[  143.126854][ T3401]  kill_anon_super+0x20/0x90
[  143.127541][ T3401]  kill_litter_super+0x28/0x38
[  143.128366][ T3401]  binderfs_kill_super+0x18/0x40
[  143.129063][ T3401]  deactivate_locked_super+0x50/0x12c
[  143.129738][ T3401]  deactivate_super+0x84/0x9c
[  143.130347][ T3401]  cleanup_mnt+0xa0/0x130
[  143.130967][ T3401]  __cleanup_mnt+0x14/0x20
[  143.131584][ T3401]  task_work_run+0x78/0xd4
[  143.132414][ T3401]  do_exit+0x2c8/0x98c
[  143.133101][ T3401]  do_group_exit+0x34/0x90
[  143.133678][ T3401]  copy_siginfo_to_user+0x0/0xec
[  143.134412][ T3401]  do_signal+0xf0/0x360
[  143.135118][ T3401]  do_notify_resume+0xd8/0x164
[  143.135789][ T3401]  el0_svc+0xc0/0xe0
[  143.136410][ T3401]  el0t_64_sync_handler+0x10c/0x138
[  143.137038][ T3401]  el0t_64_sync+0x1a4/0x1a8
[  143.137743][ T3401] 
[  143.138236][ T3401] The buggy address belongs to the object at fff0000004704f00
[  143.138236][ T3401]  which belongs to the cache kmalloc-192 of size 192
[  143.139724][ T3401] The buggy address is located 8 bytes inside of
[  143.139724][ T3401]  192-byte region [fff0000004704f00, fff0000004704fc0)
[  143.140857][ T3401] 
[  143.141462][ T3401] The buggy address belongs to the physical page:
[  143.142314][ T3401] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xf8f0000004704780 pfn:0x44704
[  143.143483][ T3401] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
[  143.144732][ T3401] page_type: f5(slab)
[  143.145754][ T3401] raw: 01ffc00000000000 f4f0000003001300 ffffc1ffc0135100 0000000000000002
[  143.146613][ T3401] raw: f8f0000004704780 0000000000150000 00000000f5000000 0000000000000000
[  143.147473][ T3401] page dumped because: kasan: bad access detected
[  143.148324][ T3401] 
[  143.148880][ T3401] Memory state around the buggy address:
[  143.149865][ T3401]  fff0000004704d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[  143.150728][ T3401]  fff0000004704e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[  143.151495][ T3401] >fff0000004704f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[  143.152304][ T3401]                    ^
[  143.152923][ T3401]  fff0000004705000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[  143.153761][ T3401]  fff0000004705100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[  143.154600][ T3401] ==================================================================
[  143.157519][ T3401] Disabling lock debugging due to kernel taint

VM DIAGNOSIS:
18:16:53  Registers:
info registers vcpu 0

CPU#0
 PC=ffff8000800eecf8 X00=0000000000213295 X01=0000000000000000
X02=000000000000001f X03=00000000b9a78600 X04=00000000ffffffe0
X05=00000015a70ea09c X06=00000000000b090f X07=0000000000000000
X08=0000000000100000 X09=0000000000000409 X10=0000000000000000
X11=f2f00000065d2a00 X12=0000000000000000 X13=000000000000018d
X14=000000000000018d X15=0000000000000001 X16=ffff800080000000
X17=fff07ffffd143000 X18=0000000000000014 X19=f2f00000065d3800
X20=fff000007f8d4840 X21=000000000023b481 X22=fff000007f8d47c0
X23=0000000000000001 X24=fff000007f8d47c0 X25=0000000000000001
X26=0000000000000002 X27=0000000000000001 X28=0000000000000000
X29=ffff800080003520 X30=ffff8000800eee48  SP=ffff800080003520
PSTATE=804020c9 N--- EL2h  SVCR=00000000 --  BTYPE=0     FPCR=00000000 FPSR=00000000
P00=0000000000000000 P01=0000000000000000 P02=0000000000000000
P03=0000000000000000 P04=0000000000000000 P05=0000000000000000
P06=0000000000000000 P07=0000000000000000 P08=0000000000000000
P09=0000000000000000 P10=0000000000000000 P11=0000000000000000
P12=0000000000000000 P13=0000000000000000 P14=0000000000000000
P15=0000000000000000 FFR=0000000000000000
Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:2525252525252525:2525252525252525
Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000000756c6c2570:6f6f6c2f7665642f
Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:fffff000000000f0
Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff000000ff00:0000000000000000
Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:fff000f000000000
Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff9f746458:0000ffff9f746450
Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff9f746468:0000ffff9f746460
Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffdad6c390:0000ffffdad6c390
Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffdad6c360
Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
info registers vcpu 1

CPU#1
 PC=ffff80008012859c X00=ffff8000827de6b8 X01=00000000ffffffff
X02=0000000000000001 X03=0000000000000001 X04=0000000000000001
X05=ffff800082a6d098 X06=ffff800082a6d098 X07=0000000000000018
X08=0000000080000000 X09=ffff8000827de840 X10=ffff80008288e840
X11=00000000000002f2 X12=00000000000008d6 X13=ffff8000827de840
X14=ffff800088efb358 X15=ffff800088efb1c0 X16=0000000000000000
X17=0000000000000000 X18=00000000ffffffff X19=00000000000000c0
X20=ffff8000822df838 X21=ffff8000822d8218 X22=ffff8000822df838
X23=ffffc1ffc011c100 X24=0000000000000000 X25=f8f00000040819b0
X26=0000000000000002 X27=0000000000000000 X28=f3f0000009928000
X29=ffff800088efb760 X30=ffff800081a6af30  SP=ffff800088efb760
PSTATE=624020c9 -ZC- EL2h  SVCR=00000000 --  BTYPE=0     FPCR=00000000 FPSR=00000000
P00=0000000000000000 P01=0000000000000000 P02=0000000000000000
P03=0000000000000000 P04=0000000000000000 P05=0000000000000000
P06=0000000000000000 P07=0000000000000000 P08=0000000000000000
P09=0000000000000000 P10=0000000000000000 P11=0000000000000000
P12=0000000000000000 P13=0000000000000000 P14=0000000000000000
P15=0000000000000000 FFR=0000000000000000
Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000303030303031
Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffff000000000000
Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00000000ff000000
Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffff000000000000:ffffffffffff0000
Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ff000000ffffff00
Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff9b346458:0000ffff9b346450
Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff9b346468:0000ffff9b346460
Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffd63fe250:0000ffffd63fe250
Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffd63fe220
Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000