last executing test programs: 1.880312811s ago: executing program 0 (id=1): ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000000)) 1.601149685s ago: executing program 1 (id=2): close(0xffffffffffffffff) 0s ago: executing program 0 (id=3): munmap(0x0, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:49974' (ED25519) to the list of known hosts. [ 494.370164][ T24] audit: type=1400 audit(493.760:64): avc: denied { name_bind } for pid=3281 comm="sshd" src=30001 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 495.316531][ T24] audit: type=1400 audit(494.690:65): avc: denied { execute } for pid=3283 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 495.365392][ T24] audit: type=1400 audit(494.720:66): avc: denied { execute_no_trans } for pid=3283 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 517.490815][ T24] audit: type=1400 audit(516.880:67): avc: denied { mounton } for pid=3283 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1737 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 517.527576][ T24] audit: type=1400 audit(516.910:68): avc: denied { mount } for pid=3283 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 517.602413][ T3283] cgroup: Unknown subsys name 'net' [ 517.658403][ T24] audit: type=1400 audit(517.050:69): avc: denied { unmount } for pid=3283 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 518.058505][ T3283] cgroup: Unknown subsys name 'cpuset' [ 518.140838][ T3283] cgroup: Unknown subsys name 'rlimit' [ 519.060993][ T24] audit: type=1400 audit(518.450:70): avc: denied { setattr } for pid=3283 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 519.091847][ T24] audit: type=1400 audit(518.480:71): avc: denied { create } for pid=3283 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 519.115954][ T24] audit: type=1400 audit(518.500:72): avc: denied { write } for pid=3283 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 519.123357][ T24] audit: type=1400 audit(518.510:73): avc: denied { module_request } for pid=3283 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 519.554176][ T24] audit: type=1400 audit(518.940:74): avc: denied { read } for pid=3283 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 519.600399][ T24] audit: type=1400 audit(518.980:75): avc: denied { mounton } for pid=3283 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 519.625676][ T24] audit: type=1400 audit(519.000:76): avc: denied { mount } for pid=3283 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 520.568699][ T3287] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 520.793985][ T3283] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 556.890116][ T24] kauditd_printk_skb: 4 callbacks suppressed [ 556.890398][ T24] audit: type=1400 audit(556.280:81): avc: denied { execmem } for pid=3288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 557.400481][ T24] audit: type=1400 audit(556.790:82): avc: denied { read } for pid=3290 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 557.425298][ T24] audit: type=1400 audit(556.810:83): avc: denied { open } for pid=3290 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 557.595766][ T24] audit: type=1400 audit(556.930:84): avc: denied { mounton } for pid=3290 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 560.769143][ T24] audit: type=1400 audit(560.160:85): avc: denied { mount } for pid=3290 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 560.876250][ T24] audit: type=1400 audit(560.260:86): avc: denied { mounton } for pid=3290 comm="syz-executor" path="/syzkaller.PAcfv3/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 561.016512][ T24] audit: type=1400 audit(560.390:87): avc: denied { mount } for pid=3290 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 561.295874][ T24] audit: type=1400 audit(560.660:88): avc: denied { mounton } for pid=3291 comm="syz-executor" path="/syzkaller.X77dt7/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 561.370012][ T24] audit: type=1400 audit(560.760:89): avc: denied { mounton } for pid=3291 comm="syz-executor" path="/syzkaller.X77dt7/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2875 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 561.546392][ T24] audit: type=1400 audit(560.930:90): avc: denied { unmount } for pid=3291 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 561.938759][ T24] kauditd_printk_skb: 2 callbacks suppressed [ 561.939011][ T24] audit: type=1400 audit(561.330:93): avc: denied { mount } for pid=3291 comm="syz-executor" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 [ 561.966399][ T24] audit: type=1400 audit(561.340:94): avc: denied { mounton } for pid=3290 comm="syz-executor" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1 [ 561.996463][ T24] audit: type=1400 audit(561.380:95): avc: denied { mount } for pid=3291 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 562.196372][ T24] audit: type=1400 audit(561.580:96): avc: denied { read write } for pid=3290 comm="syz-executor" name="loop0" dev="devtmpfs" ino=637 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 562.199067][ T24] audit: type=1400 audit(561.580:97): avc: denied { open } for pid=3290 comm="syz-executor" path="/dev/loop0" dev="devtmpfs" ino=637 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 562.236302][ T24] audit: type=1400 audit(561.620:98): avc: denied { ioctl } for pid=3291 comm="syz-executor" path="/dev/loop1" dev="devtmpfs" ino=638 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 571.359808][ T3298] ================================================================== [ 571.362310][ T3298] BUG: KASAN: slab-use-after-free in binder_add_device+0xf4/0xf8 [ 571.364822][ T3298] Write of size 8 at addr 0af0000013140208 by task syz-executor/3298 [ 571.366173][ T3298] Pointer tag: [0a], memory tag: [31] [ 571.367030][ T3298] [ 571.368401][ T3298] CPU: 0 UID: 0 PID: 3298 Comm: syz-executor Not tainted 6.14.0-rc2-syzkaller-g29281a76709c #0 [ 571.368880][ T3298] Hardware name: linux,dummy-virt (DT) [ 571.369344][ T3298] Call trace: [ 571.369669][ T3298] show_stack+0x2c/0x3c (C) [ 571.370204][ T3298] __dump_stack+0x30/0x40 [ 571.370554][ T3298] dump_stack_lvl+0xd8/0x12c [ 571.370822][ T3298] print_address_description+0xac/0x290 [ 571.371075][ T3298] print_report+0x84/0xa0 [ 571.371316][ T3298] kasan_report+0xb0/0x110 [ 571.371574][ T3298] kasan_tag_mismatch+0x28/0x3c [ 571.371751][ T3298] __hwasan_tag_mismatch+0x30/0x60 [ 571.371954][ T3298] binder_add_device+0xf4/0xf8 [ 571.372143][ T3298] binderfs_binder_device_create+0xbfc/0xc28 [ 571.372348][ T3298] binderfs_fill_super+0xb30/0xe20 [ 571.372534][ T3298] get_tree_nodev+0xdc/0x1cc [ 571.372777][ T3298] binderfs_fs_context_get_tree+0x28/0x38 [ 571.372966][ T3298] vfs_get_tree+0xc4/0x3cc [ 571.373266][ T3298] do_new_mount+0x2a0/0x988 [ 571.373524][ T3298] path_mount+0x650/0x101c [ 571.373765][ T3298] __arm64_sys_mount+0x36c/0x468 [ 571.374029][ T3298] invoke_syscall+0x90/0x2b4 [ 571.374296][ T3298] el0_svc_common+0x180/0x2f4 [ 571.374539][ T3298] do_el0_svc+0x58/0x74 [ 571.374771][ T3298] el0_svc+0x58/0x134 [ 571.374945][ T3298] el0t_64_sync_handler+0x78/0x108 [ 571.375124][ T3298] el0t_64_sync+0x198/0x19c [ 571.375583][ T3298] [ 571.389737][ T3298] Allocated by task 3290: [ 571.390613][ T3298] kasan_save_stack+0x40/0x6c [ 571.391539][ T3298] save_stack_info+0x30/0x138 [ 571.392327][ T3298] kasan_save_alloc_info+0x14/0x20 [ 571.393115][ T3298] __kasan_kmalloc+0x8c/0x90 [ 571.393955][ T3298] __kmalloc_cache_noprof+0x2a0/0x404 [ 571.394855][ T3298] binderfs_binder_device_create+0x1ac/0xc28 [ 571.395676][ T3298] binderfs_fill_super+0xb30/0xe20 [ 571.396463][ T3298] get_tree_nodev+0xdc/0x1cc [ 571.397289][ T3298] binderfs_fs_context_get_tree+0x28/0x38 [ 571.398115][ T3298] vfs_get_tree+0xc4/0x3cc [ 571.398936][ T3298] do_new_mount+0x2a0/0x988 [ 571.399737][ T3298] path_mount+0x650/0x101c [ 571.400548][ T3298] __arm64_sys_mount+0x36c/0x468 [ 571.401396][ T3298] invoke_syscall+0x90/0x2b4 [ 571.402187][ T3298] el0_svc_common+0x180/0x2f4 [ 571.403019][ T3298] do_el0_svc+0x58/0x74 [ 571.403823][ T3298] el0_svc+0x58/0x134 [ 571.404545][ T3298] el0t_64_sync_handler+0x78/0x108 [ 571.405328][ T3298] el0t_64_sync+0x198/0x19c [ 571.406132][ T3298] [ 571.406693][ T3298] Freed by task 3290: [ 571.407358][ T3298] kasan_save_stack+0x40/0x6c [ 571.408150][ T3298] save_stack_info+0x30/0x138 [ 571.408933][ T3298] kasan_save_free_info+0x18/0x24 [ 571.409762][ T3298] __kasan_slab_free+0x64/0x68 [ 571.410593][ T3298] kfree+0x148/0x44c [ 571.411364][ T3298] binderfs_evict_inode+0x1e8/0x2b8 [ 571.412128][ T3298] evict+0x4d4/0xbe8 [ 571.412829][ T3298] iput+0x928/0x9e0 [ 571.413634][ T3298] dentry_unlink_inode+0x624/0x660 [ 571.414474][ T3298] __dentry_kill+0x224/0x808 [ 571.415213][ T3298] shrink_kill+0xd4/0x2cc [ 571.415977][ T3298] shrink_dentry_list+0x420/0x970 [ 571.416785][ T3298] shrink_dcache_parent+0x80/0x200 [ 571.417618][ T3298] do_one_tree+0x2c/0x148 [ 571.418375][ T3298] shrink_dcache_for_umount+0xb0/0x198 [ 571.419192][ T3298] generic_shutdown_super+0x84/0x424 [ 571.420058][ T3298] kill_litter_super+0xa4/0xdc [ 571.420907][ T3298] binderfs_kill_super+0x50/0xcc [ 571.421727][ T3298] deactivate_locked_super+0xf0/0x17c [ 571.422576][ T3298] deactivate_super+0xf4/0x104 [ 571.423395][ T3298] cleanup_mnt+0x3fc/0x484 [ 571.424171][ T3298] __cleanup_mnt+0x20/0x30 [ 571.425007][ T3298] task_work_run+0x1bc/0x254 [ 571.425897][ T3298] do_exit+0x740/0x23b0 [ 571.426637][ T3298] do_group_exit+0x1d4/0x2ac [ 571.427397][ T3298] get_signal+0x1440/0x1554 [ 571.428132][ T3298] do_signal+0x23c/0x3ecc [ 571.428952][ T3298] do_notify_resume+0x78/0x27c [ 571.429769][ T3298] el0_svc+0xb0/0x134 [ 571.430460][ T3298] el0t_64_sync_handler+0x78/0x108 [ 571.431225][ T3298] el0t_64_sync+0x198/0x19c [ 571.432016][ T3298] [ 571.432585][ T3298] The buggy address belongs to the object at fff0000013140200 [ 571.432585][ T3298] which belongs to the cache kmalloc-512 of size 512 [ 571.433930][ T3298] The buggy address is located 8 bytes inside of [ 571.433930][ T3298] 512-byte region [fff0000013140200, fff0000013140400) [ 571.435176][ T3298] [ 571.435824][ T3298] The buggy address belongs to the physical page: [ 571.436882][ T3298] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53140 [ 571.438196][ T3298] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 571.439630][ T3298] page_type: f5(slab) [ 571.440856][ T3298] raw: 01ffc00000000000 d7f000000c801900 dead000000000122 0000000000000000 [ 571.441895][ T3298] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 571.442942][ T3298] page dumped because: kasan: bad access detected [ 571.443802][ T3298] [ 571.444376][ T3298] Memory state around the buggy address: [ 571.445414][ T3298] fff0000013140000: 92 92 92 92 92 92 92 92 92 92 92 92 92 92 92 92 [ 571.446375][ T3298] fff0000013140100: 92 92 fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 571.447404][ T3298] >fff0000013140200: 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 [ 571.448332][ T3298] ^ [ 571.449159][ T3298] fff0000013140300: 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 [ 571.450143][ T3298] fff0000013140400: 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e [ 571.451106][ T3298] ================================================================== SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 572.132593][ T3298] Disabling lock debugging due to kernel taint [ 572.270827][ T24] audit: type=1401 audit(571.660:99): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" [ 572.465831][ T24] audit: type=1400 audit(571.840:100): avc: denied { mount } for pid=3299 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 VM DIAGNOSIS: 08:24:47 Registers: info registers vcpu 0 CPU#0 PC=ffff8000864b383c X00=0000000000000003 X01=0000000000000000 X02=0000000000000000 X03=ffff80008709b88e X04=ffff80008f0e7570 X05=0000000000000000 X06=ffff8000864c4768 X07=ffff800080d9cffc X08=ffff8000864b3834 X09=0000000000000001 X10=0000000000ff0100 X11=1ff0000012a68000 X12=0000000000ff0100 X13=0000000000000003 X14=0000000000000000 X15=000000000000001f X16=0000000000000031 X17=000000000000000a X18=000000000000001f X19=0000000000000004 X20=ffff80008771fe40 X21=1ff0000012a68008 X22=000000000000001f X23=00000000ffffffff X24=1ff0000012a68000 X25=ffff80008f0e7570 X26=ffff80008771fe40 X27=000000000000001f X28=0000000000000028 X29=ffff80008f0e73e0 X30=ffff80008058579c SP=ffff80008f0e73d0 PSTATE=614020c9 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=2525252525252525:2525252525252525 Z01=0000303030303031:0000000000000a64 Z02=0000000000000000:f0000000fffffff0 Z03=ffff000000000000:ffffffffffff0000 Z04=0000000000000000:ff000000ffffff00 Z05=0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000fffffacc35c0:0000fffffacc35c0 Z17=ffffff80ffffffd0:0000fffffacc3590 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000