last executing test programs: 493.585192ms ago: executing program 1 (id=344): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dsp', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp', 0x800, 0x0) 369.273721ms ago: executing program 1 (id=346): open_tree(0xffffffffffffffff, &(0x7f0000000000), 0x0) 268.77033ms ago: executing program 0 (id=347): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/irnet', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/irnet', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/irnet', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/irnet', 0x800, 0x0) 268.39983ms ago: executing program 1 (id=348): pidfd_send_signal(0xffffffffffffffff, 0x0, &(0x7f0000000000), 0x0) 190.917915ms ago: executing program 0 (id=349): dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x0) 190.662726ms ago: executing program 1 (id=350): setitimer(0x0, &(0x7f0000000000), 0x0) 190.250525ms ago: executing program 0 (id=351): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/userio', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/userio', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/userio', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/userio', 0x800, 0x0) 100.620643ms ago: executing program 0 (id=352): vmsplice(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0) 100.347162ms ago: executing program 0 (id=353): syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1) 100.189522ms ago: executing program 1 (id=354): sched_getparam(0x0, &(0x7f0000000000)) 177.06µs ago: executing program 1 (id=355): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/random', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/random', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/random', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/random', 0x800, 0x0) 0s ago: executing program 0 (id=356): truncate(&(0x7f0000000000), 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:43147' (ED25519) to the list of known hosts. syzkaller login: [ 95.049313][ T3305] cgroup: Unknown subsys name 'net' [ 95.331612][ T3305] cgroup: Unknown subsys name 'cpuset' [ 95.369882][ T3305] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 96.372149][ T3305] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 108.554658][ T3343] mmap: syz.0.29 (3343) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 110.919155][ T3399] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 126.486000][ T3311] ================================================================== [ 126.491070][ T3311] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0xe8/0x114 [ 126.492024][ T3311] Write at addr faf0000004851cc8 by task syz-executor/3311 [ 126.492326][ T3311] Pointer tag: [fa], memory tag: [fe] [ 126.492479][ T3311] [ 126.493072][ T3311] CPU: 0 UID: 0 PID: 3311 Comm: syz-executor Not tainted 6.15.0-rc7-syzkaller-00144-gb1427432d3b6 #0 PREEMPT [ 126.493411][ T3311] Hardware name: linux,dummy-virt (DT) [ 126.493685][ T3311] Call trace: [ 126.493968][ T3311] show_stack+0x18/0x24 (C) [ 126.494306][ T3311] dump_stack_lvl+0x78/0x90 [ 126.494470][ T3311] print_report+0x108/0x630 [ 126.494630][ T3311] kasan_report+0x88/0xac [ 126.494781][ T3311] __do_kernel_fault+0x170/0x1c8 [ 126.494914][ T3311] do_tag_check_fault+0x78/0x8c [ 126.495034][ T3311] do_mem_abort+0x44/0x94 [ 126.495150][ T3311] el1_abort+0x40/0x60 [ 126.495268][ T3311] el1h_64_sync_handler+0xa4/0x120 [ 126.495385][ T3311] el1h_64_sync+0x6c/0x70 [ 126.495574][ T3311] binderfs_evict_inode+0xe8/0x114 (P) [ 126.495705][ T3311] evict+0xec/0x240 [ 126.495823][ T3311] iput+0xfc/0x1b8 [ 126.495945][ T3311] dentry_unlink_inode+0xc0/0x188 [ 126.496080][ T3311] __dentry_kill+0x7c/0x1d4 [ 126.496203][ T3311] shrink_dentry_list+0x74/0xe4 [ 126.496323][ T3311] shrink_dcache_parent+0xcc/0x14c [ 126.496441][ T3311] shrink_dcache_for_umount+0x3c/0x1c8 [ 126.496566][ T3311] generic_shutdown_super+0x24/0x100 [ 126.496749][ T3311] kill_anon_super+0x20/0x90 [ 126.496870][ T3311] kill_litter_super+0x28/0x38 [ 126.496985][ T3311] binderfs_kill_super+0x18/0x40 [ 126.497103][ T3311] deactivate_locked_super+0x50/0x12c [ 126.497218][ T3311] deactivate_super+0x84/0x9c [ 126.497337][ T3311] cleanup_mnt+0xf4/0x184 [ 126.497457][ T3311] __cleanup_mnt+0x14/0x20 [ 126.497574][ T3311] task_work_run+0x78/0xd4 [ 126.497697][ T3311] do_exit+0x2c8/0x944 [ 126.497841][ T3311] do_group_exit+0x34/0x90 [ 126.497956][ T3311] copy_siginfo_to_user+0x0/0xec [ 126.498074][ T3311] do_signal+0x94/0x360 [ 126.498191][ T3311] do_notify_resume+0xd8/0x164 [ 126.498308][ T3311] el0_svc+0xc0/0xe0 [ 126.498433][ T3311] el0t_64_sync_handler+0x10c/0x138 [ 126.498550][ T3311] el0t_64_sync+0x1a4/0x1a8 [ 126.498837][ T3311] [ 126.500787][ T3311] Freed by task 3312: [ 126.501034][ T3311] kasan_save_stack+0x3c/0x64 [ 126.501280][ T3311] save_stack_info+0x40/0x158 [ 126.501482][ T3311] kasan_save_free_info+0x18/0x24 [ 126.501655][ T3311] __kasan_slab_free+0x74/0x8c [ 126.501858][ T3311] kfree+0xfc/0x30c [ 126.502030][ T3311] binderfs_evict_inode+0x100/0x114 [ 126.502194][ T3311] evict+0xec/0x240 [ 126.502353][ T3311] iput+0xfc/0x1b8 [ 126.502511][ T3311] dentry_unlink_inode+0xc0/0x188 [ 126.502678][ T3311] __dentry_kill+0x7c/0x1d4 [ 126.502840][ T3311] shrink_dentry_list+0x74/0xe4 [ 126.503018][ T3311] shrink_dcache_parent+0xcc/0x14c [ 126.503191][ T3311] shrink_dcache_for_umount+0x3c/0x1c8 [ 126.503354][ T3311] generic_shutdown_super+0x24/0x100 [ 126.503589][ T3311] kill_anon_super+0x20/0x90 [ 126.503786][ T3311] kill_litter_super+0x28/0x38 [ 126.503952][ T3311] binderfs_kill_super+0x18/0x40 [ 126.504116][ T3311] deactivate_locked_super+0x50/0x12c [ 126.504327][ T3311] deactivate_super+0x84/0x9c [ 126.504489][ T3311] cleanup_mnt+0xf4/0x184 [ 126.504699][ T3311] __cleanup_mnt+0x14/0x20 [ 126.504862][ T3311] task_work_run+0x78/0xd4 [ 126.505023][ T3311] do_exit+0x2c8/0x944 [ 126.505183][ T3311] do_group_exit+0x34/0x90 [ 126.505342][ T3311] copy_siginfo_to_user+0x0/0xec [ 126.505529][ T3311] do_signal+0x94/0x360 [ 126.505739][ T3311] do_notify_resume+0xd8/0x164 [ 126.505910][ T3311] el0_svc+0xc0/0xe0 [ 126.506072][ T3311] el0t_64_sync_handler+0x10c/0x138 [ 126.506234][ T3311] el0t_64_sync+0x1a4/0x1a8 [ 126.506435][ T3311] [ 126.506573][ T3311] The buggy address belongs to the object at fff0000004851cc0 [ 126.506573][ T3311] which belongs to the cache kmalloc-192 of size 192 [ 126.506794][ T3311] The buggy address is located 8 bytes inside of [ 126.506794][ T3311] 192-byte region [fff0000004851cc0, fff0000004851d80) [ 126.506979][ T3311] [ 126.507395][ T3311] The buggy address belongs to the physical page: [ 126.507806][ T3311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfaf00000048510c0 pfn:0x44851 [ 126.508481][ T3311] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 126.509136][ T3311] page_type: f5(slab) [ 126.509593][ T3311] raw: 01ffc00000000000 f1f0000003001300 ffffc1ffc0283400 0000000000000002 [ 126.509843][ T3311] raw: faf00000048510c0 000000000015000c 00000000f5000000 0000000000000000 [ 126.510065][ T3311] page dumped because: kasan: bad access detected [ 126.510211][ T3311] [ 126.510343][ T3311] Memory state around the buggy address: [ 126.510622][ T3311] fff0000004851a00: f2 f2 f2 f2 f2 f2 f2 f2 f3 f3 f3 f3 f3 f3 f3 f3 [ 126.510828][ T3311] fff0000004851b00: f3 f3 f3 f3 fe fe fe fe fe fe fe fe fe fe fe fe [ 126.511076][ T3311] >fff0000004851c00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 126.511278][ T3311] ^ [ 126.511480][ T3311] fff0000004851d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 126.511666][ T3311] fff0000004851e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 126.511874][ T3311] ================================================================== [ 126.514683][ T3311] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) VM DIAGNOSIS: 16:48:28 Registers: info registers vcpu 0 CPU#0 PC=ffff8000802e46f4 X00=ffff8000829e1000 X01=ffff8000828b1d80 X02=0000000000000200 X03=0000000000000200 X04=fff07ffffd022000 X05=fff000007f8d59c0 X06=0000000000000000 X07=f5f000000441933c X08=ffff800082d2bc30 X09=000000000000001e X10=0000000000000001 X11=0000001d750e9c03 X12=0000000000000001 X13=0000000000000001 X14=00000000000002c4 X15=ffff800081b610e0 X16=0000000000000000 X17=0000000000000000 X18=00000000ffffffff X19=0000000000000001 X20=faf0000003240000 X21=fff000007f8d5940 X22=ffff800082d2bd40 X23=fbf0000004853900 X24=0000000000000001 X25=0000000000000000 X26=ffff8000828d1000 X27=f9f000000304cf00 X28=ffff800080155c84 X29=ffff800082d2b880 X30=6c8f8000802e4688 SP=ffff800082d2b880 PSTATE=60402009 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000aa006b736964 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffffffffffffff:ffff00ff00000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffffffff0f0000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ff0000ff0000:ffff000000ff0000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00f00f00ff000f00 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00000000cccccc00 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000073:0000aaab043d3cb0 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000074:0000aaab043d0f90 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffdf9c53b0:0000ffffdf9c53b0 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffdf9c5380 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff80008183e664 X00=f7f0000005818d00 X01=0000000000000001 X02=ffff80008183e664 X03=ffff800081b40aa8 X04=ffff800089453eb0 X05=0000000000000000 X06=0000000000000000 X07=0000000000000000 X08=0000000000000000 X09=0000000000000000 X10=0000000000000000 X11=0000000000000000 X12=0000000000000000 X13=0000000000000000 X14=0000000000000000 X15=0000000000000000 X16=0000000000000000 X17=0000000000000000 X18=0000000000000000 X19=f7f00000072d8980 X20=f7f0000005818d00 X21=0000000000000001 X22=0000000000000002 X23=f8f0000003ecbb40 X24=0000000000000000 X25=0000000000000000 X26=0000000000000000 X27=0000000000000000 X28=f7f0000004784900 X29=ffff800089453d90 X30=ffff80008183e698 SP=ffff800089453d90 PSTATE=61402809 -ZC- EL2h SVCR=00000000 -- BTYPE=2 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:720fbe8153092811:aab0c25ba3bec92b Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:8e2ba97ce3159434:dcc7f024ae08caaa Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:649d4b1cc78f8f19:eed2645de79c47f7 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:3f3262c0c775b706:a9ba5762143abde8 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:710f417eacf32b11:aab03da45c58c92b Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:8e23a97ae0159434:dcc1f021ae0ecaac Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:c93a152eac3bebc1:a001bc32735c47d0 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:54e3a589d3ebc1f2:b0bdb4a69c58c16d Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:982c7d100533c149:45fd77bfc38b046c Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6ee0bfbaae3ca6ee:24e5ff99eb121065 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:eff47bf1b4243722:9eceeb602b34c2ec Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:7276f21609d3ff62:9258176f350dcc50 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0ed79f89092539f3:8adbcb9ed32a4ca1 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b556c0db4c91eb98:64f40fa5846cd3a2