last executing test programs: 1.055415549s ago: executing program 0 (id=152): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vfio/vfio', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vfio/vfio', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vfio/vfio', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vfio/vfio', 0x800, 0x0) 902.036614ms ago: executing program 1 (id=153): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rfkill', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rfkill', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/rfkill', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/rfkill', 0x800, 0x0) 771.160678ms ago: executing program 0 (id=154): fspick(0xffffffffffffffff, &(0x7f0000000000), 0x0) 770.846357ms ago: executing program 1 (id=155): munmap(0x0, 0x0) 581.484173ms ago: executing program 1 (id=156): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/logging', 0x2, 0x0) 581.251623ms ago: executing program 0 (id=157): socket$kcm(0x29, 0x2, 0x0) 382.565289ms ago: executing program 0 (id=158): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-monitor', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-monitor', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm-monitor', 0x800, 0x0) 382.080019ms ago: executing program 1 (id=159): getpid() 228.681543ms ago: executing program 1 (id=160): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ptp0', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptp0', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptp0', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptp0', 0x800, 0x0) 228.291504ms ago: executing program 0 (id=161): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/asound/card0/oss_mixer', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/asound/card0/oss_mixer', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/asound/card0/oss_mixer', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/proc/asound/card0/oss_mixer', 0x800, 0x0) 382.5µs ago: executing program 1 (id=162): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/bifrost', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/bifrost', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/bifrost', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/bifrost', 0x800, 0x0) 0s ago: executing program 0 (id=163): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/keychord', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/keychord', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/keychord', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/keychord', 0x800, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:10109' (ED25519) to the list of known hosts. [ 135.229189][ T29] audit: type=1400 audit(134.950:58): avc: denied { name_bind } for pid=3275 comm="sshd" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 135.567672][ T29] audit: type=1400 audit(135.290:59): avc: denied { execute } for pid=3277 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 135.570514][ T29] audit: type=1400 audit(135.300:60): avc: denied { execute_no_trans } for pid=3277 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 139.759992][ T29] audit: type=1400 audit(139.490:61): avc: denied { mounton } for pid=3277 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1736 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 139.774235][ T29] audit: type=1400 audit(139.500:62): avc: denied { mount } for pid=3277 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 139.802864][ T3277] cgroup: Unknown subsys name 'net' [ 139.823118][ T29] audit: type=1400 audit(139.550:63): avc: denied { unmount } for pid=3277 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 140.299729][ T3277] cgroup: Unknown subsys name 'cpuset' [ 140.330922][ T3277] cgroup: Unknown subsys name 'rlimit' [ 140.620220][ T29] audit: type=1400 audit(140.350:64): avc: denied { setattr } for pid=3277 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 140.622465][ T29] audit: type=1400 audit(140.350:65): avc: denied { create } for pid=3277 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 140.624982][ T29] audit: type=1400 audit(140.350:66): avc: denied { write } for pid=3277 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 140.627796][ T29] audit: type=1400 audit(140.350:67): avc: denied { module_request } for pid=3277 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 140.780406][ T29] audit: type=1400 audit(140.510:68): avc: denied { read } for pid=3277 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 140.793948][ T29] audit: type=1400 audit(140.520:69): avc: denied { mounton } for pid=3277 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 140.795694][ T29] audit: type=1400 audit(140.520:70): avc: denied { mount } for pid=3277 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 141.125114][ T3280] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 141.130078][ T29] audit: type=1400 audit(140.860:71): avc: denied { relabelto } for pid=3280 comm="mkswap" name="swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 141.134420][ T29] audit: type=1400 audit(140.860:72): avc: denied { write } for pid=3280 comm="mkswap" path="/swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 141.201103][ T29] audit: type=1400 audit(140.930:73): avc: denied { read } for pid=3277 comm="syz-executor" name="swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 141.214732][ T3277] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 147.363849][ T29] kauditd_printk_skb: 1 callbacks suppressed [ 147.364036][ T29] audit: type=1400 audit(147.090:75): avc: denied { execmem } for pid=3281 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 147.457518][ T29] audit: type=1400 audit(147.180:76): avc: denied { read } for pid=3283 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 147.479676][ T29] audit: type=1400 audit(147.210:77): avc: denied { open } for pid=3283 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 147.491403][ T29] audit: type=1400 audit(147.220:78): avc: denied { mounton } for pid=3283 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 148.200244][ T29] audit: type=1400 audit(147.910:79): avc: denied { mount } for pid=3283 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 148.212962][ T29] audit: type=1400 audit(147.940:80): avc: denied { mounton } for pid=3283 comm="syz-executor" path="/syzkaller.8uyz8U/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 148.244214][ T29] audit: type=1400 audit(147.970:81): avc: denied { mount } for pid=3283 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 148.307806][ T29] audit: type=1400 audit(148.030:82): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/syzkaller.I9BBMM/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 148.309032][ T29] audit: type=1400 audit(148.040:83): avc: denied { mounton } for pid=3283 comm="syz-executor" path="/syzkaller.8uyz8U/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2747 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 148.334602][ T29] audit: type=1400 audit(148.060:84): avc: denied { unmount } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 153.087896][ T29] kauditd_printk_skb: 14 callbacks suppressed [ 153.088001][ T29] audit: type=1400 audit(152.810:99): avc: denied { create } for pid=3323 comm="syz.1.35" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=nfc_socket permissive=1 [ 153.955175][ T29] audit: type=1400 audit(153.680:100): avc: denied { create } for pid=3328 comm="syz.1.40" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 155.364009][ T29] audit: type=1400 audit(155.090:101): avc: denied { create } for pid=3340 comm="syz.1.52" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 155.474325][ T29] audit: type=1400 audit(155.200:102): avc: denied { read } for pid=3342 comm="syz.0.53" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 155.475367][ T29] audit: type=1400 audit(155.200:103): avc: denied { open } for pid=3342 comm="syz.0.53" path="/dev/dri/card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 155.495031][ T29] audit: type=1400 audit(155.220:104): avc: denied { write } for pid=3342 comm="syz.0.53" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 157.178147][ T29] audit: type=1400 audit(156.900:105): avc: denied { create } for pid=3359 comm="syz.1.70" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=vsock_socket permissive=1 [ 157.459135][ T29] audit: type=1400 audit(157.170:106): avc: denied { read } for pid=3361 comm="syz.1.72" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 157.461676][ T29] audit: type=1400 audit(157.190:107): avc: denied { open } for pid=3361 comm="syz.1.72" path="/dev/snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 157.588266][ T29] audit: type=1400 audit(157.310:108): avc: denied { write } for pid=3361 comm="syz.1.72" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 158.142116][ T29] audit: type=1400 audit(157.870:109): avc: denied { create } for pid=3366 comm="syz.1.77" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_rdma_socket permissive=1 [ 158.251074][ T29] audit: type=1400 audit(157.960:110): avc: denied { sys_module } for pid=3367 comm="syz.0.78" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 160.800963][ T29] audit: type=1400 audit(160.530:111): avc: denied { create } for pid=3396 comm="syz.0.106" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=dccp_socket permissive=1 [ 161.074341][ T29] audit: type=1400 audit(160.800:112): avc: denied { create } for pid=3398 comm="syz.1.107" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 162.116313][ T29] audit: type=1400 audit(161.840:113): avc: denied { create } for pid=3408 comm="syz.0.116" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ieee802154_socket permissive=1 [ 163.138873][ T29] audit: type=1400 audit(162.870:114): avc: denied { create } for pid=3418 comm="syz.1.124" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=phonet_socket permissive=1 [ 163.518112][ T29] audit: type=1400 audit(163.250:115): avc: denied { create } for pid=3422 comm="syz.1.126" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 163.765336][ T29] audit: type=1400 audit(163.490:116): avc: denied { read } for pid=3424 comm="syz.1.128" name="mice" dev="devtmpfs" ino=704 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:mouse_device_t tclass=chr_file permissive=1 [ 163.778901][ T29] audit: type=1400 audit(163.500:117): avc: denied { open } for pid=3424 comm="syz.1.128" path="/dev/input/mice" dev="devtmpfs" ino=704 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:mouse_device_t tclass=chr_file permissive=1 [ 163.782752][ T29] audit: type=1400 audit(163.510:118): avc: denied { write } for pid=3424 comm="syz.1.128" name="mice" dev="devtmpfs" ino=704 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:mouse_device_t tclass=chr_file permissive=1 [ 163.997567][ T29] audit: type=1400 audit(163.720:119): avc: denied { create } for pid=3425 comm="syz.0.129" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=caif_socket permissive=1 [ 165.503102][ T29] audit: type=1400 audit(165.230:120): avc: denied { create } for pid=3436 comm="syz.0.140" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [ 165.521967][ T29] audit: type=1400 audit(165.250:121): avc: denied { read } for pid=3437 comm="syz.1.139" name="usbmon0" dev="devtmpfs" ino=695 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 165.532239][ T29] audit: type=1400 audit(165.260:122): avc: denied { open } for pid=3437 comm="syz.1.139" path="/dev/usbmon0" dev="devtmpfs" ino=695 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 165.568204][ T29] audit: type=1400 audit(165.290:123): avc: denied { write } for pid=3437 comm="syz.1.139" name="usbmon0" dev="devtmpfs" ino=695 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 167.257942][ T29] audit: type=1400 audit(166.980:124): avc: denied { create } for pid=3455 comm="syz.0.157" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=kcm_socket permissive=1 [ 169.099776][ T3464] ================================================================== [ 169.100752][ T3464] BUG: KASAN: slab-use-after-free in binder_add_device+0x98/0xb0 [ 169.101808][ T3464] Write of size 8 at addr ffff00000ed6d008 by task syz-executor/3464 [ 169.102073][ T3464] [ 169.102970][ T3464] CPU: 0 UID: 0 PID: 3464 Comm: syz-executor Not tainted 6.13.0-syzkaller-09030-g6d61a53dd6f5 #0 [ 169.103175][ T3464] Hardware name: linux,dummy-virt (DT) [ 169.103565][ T3464] Call trace: [ 169.103963][ T3464] show_stack+0x18/0x24 (C) [ 169.104117][ T3464] dump_stack_lvl+0xa4/0xf4 [ 169.104181][ T3464] print_report+0xf4/0x5a0 [ 169.104231][ T3464] kasan_report+0xc8/0x108 [ 169.104264][ T3464] __asan_report_store8_noabort+0x20/0x2c [ 169.104300][ T3464] binder_add_device+0x98/0xb0 [ 169.104336][ T3464] binderfs_binder_device_create.isra.0+0x798/0x960 [ 169.104376][ T3464] binderfs_fill_super+0x668/0xe9c [ 169.104576][ T3464] get_tree_nodev+0xac/0x148 [ 169.104627][ T3464] binderfs_fs_context_get_tree+0x18/0x24 [ 169.104667][ T3464] vfs_get_tree+0x74/0x280 [ 169.104705][ T3464] path_mount+0x750/0x1684 [ 169.104745][ T3464] __arm64_sys_mount+0x26c/0x4d8 [ 169.104808][ T3464] invoke_syscall+0x6c/0x258 [ 169.104847][ T3464] el0_svc_common.constprop.0+0xac/0x230 [ 169.104881][ T3464] do_el0_svc+0x40/0x58 [ 169.104914][ T3464] el0_svc+0x50/0x180 [ 169.104951][ T3464] el0t_64_sync_handler+0x10c/0x138 [ 169.104987][ T3464] el0t_64_sync+0x198/0x19c [ 169.105176][ T3464] [ 169.109497][ T3464] Allocated by task 3284: [ 169.109879][ T3464] kasan_save_stack+0x3c/0x64 [ 169.110140][ T3464] kasan_save_track+0x20/0x3c [ 169.110364][ T3464] kasan_save_alloc_info+0x40/0x54 [ 169.110571][ T3464] __kasan_kmalloc+0xb8/0xbc [ 169.110791][ T3464] __kmalloc_cache_noprof+0x1b4/0x3d0 [ 169.111012][ T3464] binderfs_binder_device_create.isra.0+0x140/0x960 [ 169.111260][ T3464] binderfs_fill_super+0x668/0xe9c [ 169.111470][ T3464] get_tree_nodev+0xac/0x148 [ 169.111673][ T3464] binderfs_fs_context_get_tree+0x18/0x24 [ 169.111903][ T3464] vfs_get_tree+0x74/0x280 [ 169.112100][ T3464] path_mount+0x750/0x1684 [ 169.112294][ T3464] __arm64_sys_mount+0x26c/0x4d8 [ 169.112504][ T3464] invoke_syscall+0x6c/0x258 [ 169.112705][ T3464] el0_svc_common.constprop.0+0xac/0x230 [ 169.112973][ T3464] do_el0_svc+0x40/0x58 [ 169.113166][ T3464] el0_svc+0x50/0x180 [ 169.113356][ T3464] el0t_64_sync_handler+0x10c/0x138 [ 169.113615][ T3464] el0t_64_sync+0x198/0x19c [ 169.113862][ T3464] [ 169.114033][ T3464] Freed by task 3284: [ 169.114239][ T3464] kasan_save_stack+0x3c/0x64 [ 169.114457][ T3464] kasan_save_track+0x20/0x3c [ 169.114672][ T3464] kasan_save_free_info+0x4c/0x74 [ 169.114880][ T3464] __kasan_slab_free+0x50/0x6c [ 169.115088][ T3464] kfree+0x1bc/0x444 [ 169.115266][ T3464] binderfs_evict_inode+0x1c4/0x214 [ 169.115481][ T3464] evict+0x2d0/0x6b0 [ 169.115672][ T3464] iput+0x3b0/0x6b4 [ 169.115852][ T3464] dentry_unlink_inode+0x208/0x46c [ 169.116067][ T3464] __dentry_kill+0x150/0x52c [ 169.116273][ T3464] shrink_dentry_list+0x114/0x3a4 [ 169.116482][ T3464] shrink_dcache_parent+0x158/0x364 [ 169.116936][ T3464] shrink_dcache_for_umount+0x88/0x304 [ 169.117249][ T3464] generic_shutdown_super+0x60/0x2e8 [ 169.117467][ T3464] kill_litter_super+0x68/0xa4 [ 169.117690][ T3464] binderfs_kill_super+0x38/0x88 [ 169.117896][ T3464] deactivate_locked_super+0x98/0x17c [ 169.118109][ T3464] deactivate_super+0xb0/0xd4 [ 169.118346][ T3464] cleanup_mnt+0x174/0x324 [ 169.118545][ T3464] __cleanup_mnt+0x14/0x20 [ 169.118834][ T3464] task_work_run+0x128/0x210 [ 169.119079][ T3464] do_exit+0x7a0/0x2044 [ 169.119342][ T3464] do_group_exit+0xa4/0x208 [ 169.119550][ T3464] get_signal+0x1a60/0x1b08 [ 169.119768][ T3464] do_signal+0x160/0x620 [ 169.119972][ T3464] do_notify_resume+0x18c/0x258 [ 169.120179][ T3464] el0_svc+0x100/0x180 [ 169.120367][ T3464] el0t_64_sync_handler+0x10c/0x138 [ 169.120607][ T3464] el0t_64_sync+0x198/0x19c [ 169.120870][ T3464] [ 169.121095][ T3464] The buggy address belongs to the object at ffff00000ed6d000 [ 169.121095][ T3464] which belongs to the cache kmalloc-512 of size 512 [ 169.121552][ T3464] The buggy address is located 8 bytes inside of [ 169.121552][ T3464] freed 512-byte region [ffff00000ed6d000, ffff00000ed6d200) [ 169.121934][ T3464] [ 169.122145][ T3464] The buggy address belongs to the physical page: [ 169.122748][ T3464] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff00000ed6cc00 pfn:0x4ed6c [ 169.123476][ T3464] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 169.123837][ T3464] flags: 0x1ffc00000000240(workingset|head|node=0|zone=0|lastcpupid=0x7ff) [ 169.124511][ T3464] page_type: f5(slab) [ 169.125063][ T3464] raw: 01ffc00000000240 ffff00000d401c80 fffffdffc0609d10 ffff00000d4007c8 [ 169.125369][ T3464] raw: ffff00000ed6cc00 0000000000100003 00000000f5000000 0000000000000000 [ 169.125727][ T3464] head: 01ffc00000000240 ffff00000d401c80 fffffdffc0609d10 ffff00000d4007c8 [ 169.126009][ T3464] head: ffff00000ed6cc00 0000000000100003 00000000f5000000 0000000000000000 [ 169.126293][ T3464] head: 01ffc00000000002 fffffdffc03b5b01 ffffffffffffffff 0000000000000000 [ 169.126615][ T3464] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 169.127033][ T3464] page dumped because: kasan: bad access detected [ 169.127286][ T3464] [ 169.127459][ T3464] Memory state around the buggy address: [ 169.127938][ T3464] ffff00000ed6cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 169.128241][ T3464] ffff00000ed6cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 169.128531][ T3464] >ffff00000ed6d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 169.128951][ T3464] ^ [ 169.129267][ T3464] ffff00000ed6d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 169.129535][ T3464] ffff00000ed6d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 169.129881][ T3464] ================================================================== [ 169.148550][ T3464] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 169.174380][ T29] audit: type=1400 audit(168.900:125): avc: denied { mount } for pid=3464 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 VM DIAGNOSIS: 09:33:33 Registers: info registers vcpu 0 CPU#0 PC=ffff80008002f1fc X00=ffff8000a3007658 X01=0000000000000000 X02=0000000000000008 X03=0000000000000000 X04=0000000000000008 X05=0000000000000004 X06=ffff700014600ec1 X07=0000000000000000 X08=ffff8000a3007658 X09=dfff800000000000 X10=ffff700014600eca X11=1ffff00014600eca X12=ffff700014600ecb X13=2954442820747269 X14=0000000000000000 X15=7420746f4e20726f X16=36206465746e6961 X17=79732d302e33312e X18=00000000070135f7 X19=ffff000012055ac0 X20=ffff8000867fcfc0 X21=ffff80008002f570 X22=0000000000000000 X23=fffffdffc03b5b00 X24=ffff0000177e8000 X25=ffff000016854ca0 X26=ffff000016854c80 X27=1fffe00002d0a994 X28=ffff000017bc52a0 X29=ffff8000a30075c0 X30=ffff80008002f154 SP=ffff8000a30075c0 PSTATE=000000c5 ---- EL1h FPCR=00000000 FPSR=00000000 Q00=2525252525252525:2525252525252525 Q01=0000303030303031:0000000000000a64 Q02=0000000000000000:0000000000000000 Q03=ffff000000000000:ffffffffffff0000 Q04=0000000000000000:ff000000ffffff00 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffc06d5630:0000ffffc06d5630 Q17=ffffff80ffffffd0:0000ffffc06d5600 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff80008529af2c X00=ffff00001680bc88 X01=0000000000000000 X02=00000000ffffffff X03=dfff800000000000 X04=0000000000000001 X05=0000000000000000 X06=0000000000000000 X07=ffff8000808f9628 X08=1fffe00002d018e1 X09=ffff00001680c780 X10=0000000000000002 X11=ffff800086defc5c X12=0000000000000000 X13=ffff00001680c710 X14=1ffff000110f3cfe X15=1fffe00002d018de X16=0000000000000000 X17=4e490074656e3d4d X18=0000000000000004 X19=ffff80008879e5c0 X20=ffff8000892bbbc8 X21=ffff8000888b71c0 X22=0000000000000001 X23=ffff00001680bc80 X24=0000000000000000 X25=0000000000000240 X26=0000000000000004 X27=ffff00001680bc80 X28=ffff80008633fdc0 X29=ffff8000a2fc7280 X30=ffff800080385560 SP=ffff8000a2fc7250 PSTATE=20000005 --C- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:ff77ffffff77ffff Q01=0000003432303120:3030352036373538 Q02=0000000000000000:0000000000000000 Q03=ffffff0000000000:0000000000000000 Q04=0000000000000000:fff0000000000000 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000fffff22d3ec0:0000fffff22d3ec0 Q17=ffffff80ffffffd0:0000fffff22d3e90 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000