last executing test programs: 13.808457905s ago: executing program 0 (id=1): ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000000)) 13.486361075s ago: executing program 1 (id=2): close(0xffffffffffffffff) 11.895895247s ago: executing program 0 (id=3): write(0xffffffffffffffff, &(0x7f0000000000), 0x0) 11.626093889s ago: executing program 1 (id=4): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm', 0x800, 0x0) 8.745175703s ago: executing program 1 (id=6): eventfd2(0x0, 0x0) 2.089017392s ago: executing program 1 (id=7): mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) 0s ago: executing program 0 (id=5): mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:41133' (ED25519) to the list of known hosts. [ 492.717313][ T24] audit: type=1400 audit(492.140:64): avc: denied { name_bind } for pid=3282 comm="sshd" src=30001 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 493.567776][ T24] audit: type=1400 audit(493.000:65): avc: denied { execute } for pid=3284 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 493.596094][ T24] audit: type=1400 audit(493.030:66): avc: denied { execute_no_trans } for pid=3284 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 516.403753][ T24] audit: type=1400 audit(515.840:67): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1737 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 516.424521][ T24] audit: type=1400 audit(515.860:68): avc: denied { mount } for pid=3284 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 516.508151][ T3284] cgroup: Unknown subsys name 'net' [ 516.554418][ T24] audit: type=1400 audit(515.990:69): avc: denied { unmount } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 516.927435][ T3284] cgroup: Unknown subsys name 'cpuset' [ 517.012112][ T3284] cgroup: Unknown subsys name 'rlimit' [ 517.937892][ T24] audit: type=1400 audit(517.370:70): avc: denied { setattr } for pid=3284 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 517.977069][ T24] audit: type=1400 audit(517.390:71): avc: denied { create } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 517.979388][ T24] audit: type=1400 audit(517.410:72): avc: denied { write } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 517.993845][ T24] audit: type=1400 audit(517.430:73): avc: denied { module_request } for pid=3284 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 518.444173][ T24] audit: type=1400 audit(517.880:74): avc: denied { read } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 518.492752][ T24] audit: type=1400 audit(517.930:75): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 518.507323][ T24] audit: type=1400 audit(517.940:76): avc: denied { mount } for pid=3284 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 519.480674][ T3288] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 519.703219][ T3284] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 555.760126][ T24] kauditd_printk_skb: 4 callbacks suppressed [ 555.760406][ T24] audit: type=1400 audit(555.200:81): avc: denied { execmem } for pid=3289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 556.028026][ T24] audit: type=1400 audit(555.460:82): avc: denied { read } for pid=3291 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 556.076125][ T24] audit: type=1400 audit(555.500:83): avc: denied { open } for pid=3291 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 556.139182][ T24] audit: type=1400 audit(555.560:84): avc: denied { mounton } for pid=3291 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 558.975872][ T24] audit: type=1400 audit(558.410:85): avc: denied { mount } for pid=3291 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 559.107786][ T24] audit: type=1400 audit(558.510:86): avc: denied { mounton } for pid=3291 comm="syz-executor" path="/syzkaller.LauZ51/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 559.256763][ T24] audit: type=1400 audit(558.690:87): avc: denied { mount } for pid=3291 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 559.259008][ T24] audit: type=1400 audit(558.690:88): avc: denied { mount } for pid=3292 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 559.506870][ T24] audit: type=1400 audit(558.930:89): avc: denied { mounton } for pid=3292 comm="syz-executor" path="/syzkaller.88UaAw/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 559.625794][ T24] audit: type=1400 audit(559.010:90): avc: denied { mounton } for pid=3292 comm="syz-executor" path="/syzkaller.88UaAw/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2877 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 563.370291][ T24] kauditd_printk_skb: 9 callbacks suppressed [ 563.370579][ T24] audit: type=1400 audit(562.750:100): avc: denied { read } for pid=3297 comm="syz.1.4" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 563.435922][ T24] audit: type=1400 audit(562.860:101): avc: denied { open } for pid=3297 comm="syz.1.4" path="/dev/kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 563.509199][ T24] audit: type=1400 audit(562.950:102): avc: denied { write } for pid=3297 comm="syz.1.4" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 570.803787][ T24] audit: type=1400 audit(570.240:103): avc: denied { create } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 575.610274][ T24] audit: type=1400 audit(575.050:104): avc: denied { create } for pid=3309 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=user_namespace permissive=1 [ 575.706615][ T24] audit: type=1400 audit(575.140:105): avc: denied { sys_admin } for pid=3309 comm="syz-executor" capability=21 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1 [ 576.777370][ T3308] ================================================================== [ 576.779787][ T3308] BUG: KASAN: slab-use-after-free in binder_add_device+0xf4/0xf8 [ 576.782053][ T3308] Write of size 8 at addr 77f0000013040208 by task syz-executor/3308 [ 576.783055][ T3308] Pointer tag: [77], memory tag: [b2] [ 576.783967][ T3308] [ 576.785349][ T3308] CPU: 0 UID: 0 PID: 3308 Comm: syz-executor Not tainted 6.14.0-rc2-syzkaller-g29281a76709c #0 [ 576.785840][ T3308] Hardware name: linux,dummy-virt (DT) [ 576.786263][ T3308] Call trace: [ 576.786593][ T3308] show_stack+0x2c/0x3c (C) [ 576.787138][ T3308] __dump_stack+0x30/0x40 [ 576.787495][ T3308] dump_stack_lvl+0xd8/0x12c [ 576.787769][ T3308] print_address_description+0xac/0x290 [ 576.788010][ T3308] print_report+0x84/0xa0 [ 576.788235][ T3308] kasan_report+0xb0/0x110 [ 576.788524][ T3308] kasan_tag_mismatch+0x28/0x3c [ 576.788707][ T3308] __hwasan_tag_mismatch+0x30/0x60 [ 576.788911][ T3308] binder_add_device+0xf4/0xf8 [ 576.789106][ T3308] binderfs_binder_device_create+0xbfc/0xc28 [ 576.789363][ T3308] binderfs_fill_super+0xb30/0xe20 [ 576.789566][ T3308] get_tree_nodev+0xdc/0x1cc [ 576.789819][ T3308] binderfs_fs_context_get_tree+0x28/0x38 [ 576.790018][ T3308] vfs_get_tree+0xc4/0x3cc [ 576.790267][ T3308] do_new_mount+0x2a0/0x988 [ 576.790546][ T3308] path_mount+0x650/0x101c [ 576.790784][ T3308] __arm64_sys_mount+0x36c/0x468 [ 576.791030][ T3308] invoke_syscall+0x90/0x2b4 [ 576.791274][ T3308] el0_svc_common+0x180/0x2f4 [ 576.791676][ T3308] do_el0_svc+0x58/0x74 [ 576.791930][ T3308] el0_svc+0x58/0x134 [ 576.792124][ T3308] el0t_64_sync_handler+0x78/0x108 [ 576.792304][ T3308] el0t_64_sync+0x198/0x19c [ 576.792819][ T3308] [ 576.805375][ T3308] Allocated by task 3292: [ 576.806238][ T3308] kasan_save_stack+0x40/0x6c [ 576.807100][ T3308] save_stack_info+0x30/0x138 [ 576.807835][ T3308] kasan_save_alloc_info+0x14/0x20 [ 576.808580][ T3308] __kasan_kmalloc+0x8c/0x90 [ 576.809393][ T3308] __kmalloc_cache_noprof+0x2a0/0x404 [ 576.810222][ T3308] binderfs_binder_device_create+0x1ac/0xc28 [ 576.811022][ T3308] binderfs_fill_super+0xb30/0xe20 [ 576.811772][ T3308] get_tree_nodev+0xdc/0x1cc [ 576.812574][ T3308] binderfs_fs_context_get_tree+0x28/0x38 [ 576.813396][ T3308] vfs_get_tree+0xc4/0x3cc [ 576.814153][ T3308] do_new_mount+0x2a0/0x988 [ 576.814932][ T3308] path_mount+0x650/0x101c [ 576.815712][ T3308] __arm64_sys_mount+0x36c/0x468 [ 576.816502][ T3308] invoke_syscall+0x90/0x2b4 [ 576.817304][ T3308] el0_svc_common+0x180/0x2f4 [ 576.818087][ T3308] do_el0_svc+0x58/0x74 [ 576.818844][ T3308] el0_svc+0x58/0x134 [ 576.819525][ T3308] el0t_64_sync_handler+0x78/0x108 [ 576.820242][ T3308] el0t_64_sync+0x198/0x19c [ 576.821052][ T3308] [ 576.821635][ T3308] Freed by task 3292: [ 576.822280][ T3308] kasan_save_stack+0x40/0x6c [ 576.823086][ T3308] save_stack_info+0x30/0x138 [ 576.823807][ T3308] kasan_save_free_info+0x18/0x24 [ 576.824560][ T3308] __kasan_slab_free+0x64/0x68 [ 576.825368][ T3308] kfree+0x148/0x44c [ 576.826109][ T3308] binderfs_evict_inode+0x1e8/0x2b8 [ 576.826854][ T3308] evict+0x4d4/0xbe8 [ 576.827532][ T3308] iput+0x928/0x9e0 [ 576.828242][ T3308] dentry_unlink_inode+0x624/0x660 [ 576.829021][ T3308] __dentry_kill+0x224/0x808 [ 576.829791][ T3308] shrink_kill+0xd4/0x2cc [ 576.830518][ T3308] shrink_dentry_list+0x420/0x970 [ 576.831302][ T3308] shrink_dcache_parent+0x80/0x200 [ 576.832100][ T3308] do_one_tree+0x2c/0x148 [ 576.832850][ T3308] shrink_dcache_for_umount+0xb0/0x198 [ 576.833692][ T3308] generic_shutdown_super+0x84/0x424 [ 576.834495][ T3308] kill_litter_super+0xa4/0xdc [ 576.835252][ T3308] binderfs_kill_super+0x50/0xcc [ 576.836010][ T3308] deactivate_locked_super+0xf0/0x17c [ 576.836805][ T3308] deactivate_super+0xf4/0x104 [ 576.837604][ T3308] cleanup_mnt+0x3fc/0x484 [ 576.838379][ T3308] __cleanup_mnt+0x20/0x30 [ 576.839128][ T3308] task_work_run+0x1bc/0x254 [ 576.839918][ T3308] do_exit+0x740/0x23b0 [ 576.840629][ T3308] do_group_exit+0x1d4/0x2ac [ 576.841383][ T3308] get_signal+0x1440/0x1554 [ 576.842105][ T3308] do_signal+0x23c/0x3ecc [ 576.842870][ T3308] do_notify_resume+0x78/0x27c [ 576.843629][ T3308] el0_svc+0xb0/0x134 [ 576.844295][ T3308] el0t_64_sync_handler+0x78/0x108 [ 576.845046][ T3308] el0t_64_sync+0x198/0x19c [ 576.845821][ T3308] [ 576.846385][ T3308] The buggy address belongs to the object at fff0000013040200 [ 576.846385][ T3308] which belongs to the cache kmalloc-512 of size 512 [ 576.847578][ T3308] The buggy address is located 8 bytes inside of [ 576.847578][ T3308] 272-byte region [fff0000013040200, fff0000013040310) [ 576.848733][ T3308] [ 576.849396][ T3308] The buggy address belongs to the physical page: [ 576.850431][ T3308] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53040 [ 576.851680][ T3308] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 576.852981][ T3308] page_type: f5(slab) [ 576.854199][ T3308] raw: 01ffc00000000000 70f000000c801900 ffffc1ffc04abe00 0000000000000004 [ 576.855163][ T3308] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 576.856292][ T3308] page dumped because: kasan: bad access detected [ 576.857101][ T3308] [ 576.857692][ T3308] Memory state around the buggy address: [ 576.858702][ T3308] fff0000013040000: 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 [ 576.859616][ T3308] fff0000013040100: 59 59 fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 576.860511][ T3308] >fff0000013040200: b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 [ 576.861376][ T3308] ^ [ 576.862167][ T3308] fff0000013040300: b2 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 576.863067][ T3308] fff0000013040400: 7f 7f 7f 7f 7f 7f 7f 7f 7f 7f 7f 7f 7f 7f 7f 7f [ 576.863980][ T3308] ================================================================== SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 577.387730][ T3308] Disabling lock debugging due to kernel taint [ 577.436697][ T24] audit: type=1400 audit(576.870:106): avc: denied { mount } for pid=3308 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 VM DIAGNOSIS: 13:09:22 Registers: info registers vcpu 0 CPU#0 PC=ffff800082021744 X00=0000000000000003 X01=0000000000000002 X02=0000000000000001 X03=ffff80008044879c X04=0000000000000001 X05=0000000000000000 X06=ffff8000820211cc X07=ffff800080d9cffc X08=61f0000012a957c0 X09=0000000000000000 X10=0000000000ff0100 X11=00000000000000fe X12=0000000100000004 X13=0000000000000007 X14=0000000000000000 X15=0000000000000061 X16=00000000000000b2 X17=0000000000000077 X18=0000000000000061 X19=efff800000000000 X20=7ef000000dbf50c8 X21=7ef000000dbf52c8 X22=000000000000007e X23=000000000000007e X24=0000000000000002 X25=7ef000000dbf517a X26=7ef000000dbf52d8 X27=49ff80008c32b030 X28=000000000000007e X29=ffff80008f1973b0 X30=ffff800082021744 SP=ffff80008f197370 PSTATE=814020c9 N--- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=2525252525252525:2525252525252525 Z01=0000303030303031:0000000000000a64 Z02=0000000000000000:0000000000000000 Z03=ffff000000000000:ffffffffffff0000 Z04=0000000000000000:ff000000ffffff00 Z05=0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000ffffcfdfec50:0000ffffcfdfec50 Z17=ffffff80ffffffd0:0000ffffcfdfec20 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000