last executing test programs:
550.442913ms ago: executing program 2 (id=119):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwrng', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hwrng', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hwrng', 0x800, 0x0)
549.827536ms ago: executing program 2 (id=123):
fchown(0xffffffffffffffff, 0x0, 0x0)
486.464993ms ago: executing program 2 (id=128):
rt_sigsuspend(&(0x7f0000000000), 0x0)
486.274806ms ago: executing program 2 (id=131):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/relabel', 0x2, 0x0)
485.542652ms ago: executing program 5 (id=136):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sr0', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sr0', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sr0', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sr0', 0x800, 0x0)
430.852573ms ago: executing program 2 (id=137):
syz_open_dev$audion(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$audion(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$audion(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$audion(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$audion(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$audion(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$audion(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$audion(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$audion(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$audion(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$audion(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$audion(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$audion(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$audion(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$audion(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$audion(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$audion(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$audion(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$audion(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$audion(&(0x7f0000000500), 0x4, 0x800)
430.133592ms ago: executing program 0 (id=144):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwbinder', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwbinder', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hwbinder', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hwbinder', 0x800, 0x0)
430.031731ms ago: executing program 4 (id=145):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ppp', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ppp', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ppp', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ppp', 0x800, 0x0)
355.690709ms ago: executing program 1 (id=147):
open_by_handle_at(0xffffffffffffffff, &(0x7f0000000000), 0x0)
355.59572ms ago: executing program 4 (id=148):
syz_open_dev$ndb(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$ndb(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$ndb(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$ndb(&(0x7f0000000100), 0x0, 0x800)
355.488668ms ago: executing program 0 (id=149):
readv(0xffffffffffffffff, &(0x7f0000000000), 0x0)
355.36496ms ago: executing program 1 (id=150):
io_destroy(0x0)
355.316453ms ago: executing program 3 (id=151):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/btrfs-control', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/btrfs-control', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/btrfs-control', 0x800, 0x0)
353.218721ms ago: executing program 0 (id=152):
shutdown(0xffffffffffffffff, 0x0)
306.2668ms ago: executing program 1 (id=153):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/direct', 0x2, 0x0)
306.175004ms ago: executing program 3 (id=154):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video2', 0x2, 0x0)
306.107493ms ago: executing program 0 (id=155):
timer_delete(0x0)
306.057417ms ago: executing program 3 (id=156):
vmsplice(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)
306.009175ms ago: executing program 1 (id=157):
getpid()
305.893075ms ago: executing program 4 (id=158):
syz_open_dev$mouse(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$mouse(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$mouse(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$mouse(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$mouse(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$mouse(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$mouse(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$mouse(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$mouse(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$mouse(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$mouse(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$mouse(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$mouse(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$mouse(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$mouse(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$mouse(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$mouse(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$mouse(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$mouse(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$mouse(&(0x7f0000000500), 0x4, 0x800)
305.815948ms ago: executing program 3 (id=159):
syz_open_dev$vcsn(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$vcsn(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$vcsn(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$vcsn(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$vcsn(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$vcsn(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$vcsn(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$vcsn(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$vcsn(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$vcsn(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$vcsn(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$vcsn(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$vcsn(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$vcsn(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$vcsn(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$vcsn(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$vcsn(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$vcsn(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$vcsn(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$vcsn(&(0x7f0000000500), 0x4, 0x800)
305.73884ms ago: executing program 1 (id=160):
sync_file_range(0xffffffffffffffff, 0x0, 0x0, 0x0)
305.68309ms ago: executing program 0 (id=161):
socket$kcm(0x29, 0x2, 0x0)
250.840796ms ago: executing program 3 (id=162):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/avc/cache_threshold', 0x2, 0x0)
250.764628ms ago: executing program 0 (id=163):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/binder/failed_transaction_log', 0x0, 0x0)
250.655765ms ago: executing program 1 (id=164):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/zero', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/zero', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/zero', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/zero', 0x800, 0x0)
250.506003ms ago: executing program 3 (id=165):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/audio', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/audio', 0x800, 0x0)
176.8079ms ago: executing program 2 (id=169):
socket$rds(0x15, 0x5, 0x0)
114.94064ms ago: executing program 4 (id=171):
landlock_restrict_self(0xffffffffffffffff, 0x0)
114.807246ms ago: executing program 5 (id=172):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/bluetooth/6lowpan_enable', 0x2, 0x0)
61.534524ms ago: executing program 4 (id=173):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/tcp_congestion_control', 0x1, 0x0)
61.500876ms ago: executing program 4 (id=174):
fallocate(0xffffffffffffffff, 0x0, 0x0, 0x0)
61.482726ms ago: executing program 5 (id=175):
process_vm_writev(0x0, &(0x7f0000000000), 0x0, &(0x7f0000000000), 0x0, 0x0)
50.211255ms ago: executing program 5 (id=177):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ttyprintk', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ttyprintk', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ttyprintk', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ttyprintk', 0x800, 0x0)
23.511499ms ago: executing program 5 (id=178):
pivot_root(&(0x7f0000000000), &(0x7f0000000000))
0s ago: executing program 5 (id=179):
syz_open_dev$usbfs(&(0x7f0000000040), 0x1, 0x0)
syz_open_dev$usbfs(&(0x7f0000000080), 0x1, 0x1)
syz_open_dev$usbfs(&(0x7f00000000c0), 0x1, 0x2)
syz_open_dev$usbfs(&(0x7f0000000100), 0x1, 0x800)
syz_open_dev$usbfs(&(0x7f0000000140), 0xb, 0x0)
syz_open_dev$usbfs(&(0x7f0000000180), 0xb, 0x1)
syz_open_dev$usbfs(&(0x7f00000001c0), 0xb, 0x2)
syz_open_dev$usbfs(&(0x7f0000000200), 0xb, 0x800)
syz_open_dev$usbfs(&(0x7f0000000240), 0x15, 0x0)
syz_open_dev$usbfs(&(0x7f0000000280), 0x15, 0x1)
syz_open_dev$usbfs(&(0x7f00000002c0), 0x15, 0x2)
syz_open_dev$usbfs(&(0x7f0000000300), 0x15, 0x800)
syz_open_dev$usbfs(&(0x7f0000000340), 0x1f, 0x0)
syz_open_dev$usbfs(&(0x7f0000000380), 0x1f, 0x1)
syz_open_dev$usbfs(&(0x7f00000003c0), 0x1f, 0x2)
syz_open_dev$usbfs(&(0x7f0000000400), 0x1f, 0x800)
syz_open_dev$usbfs(&(0x7f0000000440), 0x29, 0x0)
syz_open_dev$usbfs(&(0x7f0000000480), 0x29, 0x1)
syz_open_dev$usbfs(&(0x7f00000004c0), 0x29, 0x2)
syz_open_dev$usbfs(&(0x7f0000000500), 0x29, 0x800)
kernel console output (not intermixed with test programs):
Warning: Permanently added '[localhost]:29736' (ED25519) to the list of known hosts.
[ 41.739433][ T5270] cgroup: Unknown subsys name 'net'
[ 41.796183][ T5270] cgroup: Unknown subsys name 'cpuset'
[ 41.799096][ T5270] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 42.737607][ T5270] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 45.339901][ T5336] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 45.470878][ T5356] mmap: syz.4.43 (5356) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.
[ 45.645664][ T5390] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 46.597220][ T5487] ==================================================================
[ 46.599670][ T5487] BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0
[ 46.602015][ T5487] Write of size 8 at addr ffff88804722dc08 by task syz-executor/5487
[ 46.605004][ T5487]
[ 46.605737][ T5487] CPU: 0 UID: 0 PID: 5487 Comm: syz-executor Not tainted 6.13.0-syzkaller-09196-gcd45f362fc1f #0
[ 46.605745][ T5487] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 46.605749][ T5487] Call Trace:
[ 46.605752][ T5487]
[ 46.605755][ T5487] dump_stack_lvl+0x241/0x360
[ 46.605765][ T5487] ? __pfx_dump_stack_lvl+0x10/0x10
[ 46.605771][ T5487] ? __pfx__printk+0x10/0x10
[ 46.605780][ T5487] ? _printk+0xd5/0x120
[ 46.605788][ T5487] ? __virt_addr_valid+0x183/0x530
[ 46.605798][ T5487] ? __virt_addr_valid+0x183/0x530
[ 46.605806][ T5487] print_report+0x169/0x550
[ 46.605815][ T5487] ? __virt_addr_valid+0x183/0x530
[ 46.605823][ T5487] ? __virt_addr_valid+0x183/0x530
[ 46.605830][ T5487] ? __virt_addr_valid+0x45f/0x530
[ 46.605838][ T5487] ? __phys_addr+0xba/0x170
[ 46.605846][ T5487] ? binder_add_device+0x5f/0xa0
[ 46.605854][ T5487] kasan_report+0x143/0x180
[ 46.605862][ T5487] ? binder_add_device+0x5f/0xa0
[ 46.605870][ T5487] binder_add_device+0x5f/0xa0
[ 46.605877][ T5487] binderfs_binder_device_create+0x7bf/0x9c0
[ 46.605885][ T5487] binderfs_fill_super+0x944/0xd90
[ 46.605893][ T5487] ? __pfx_binderfs_fill_super+0x10/0x10
[ 46.605902][ T5487] ? shrinker_register+0x160/0x230
[ 46.605910][ T5487] ? sget_fc+0x909/0x9c0
[ 46.605917][ T5487] ? __pfx_set_anon_super_fc+0x10/0x10
[ 46.605925][ T5487] ? __pfx_binderfs_fill_super+0x10/0x10
[ 46.605931][ T5487] get_tree_nodev+0xb7/0x140
[ 46.605939][ T5487] vfs_get_tree+0x90/0x2b0
[ 46.605947][ T5487] do_new_mount+0x2be/0xb40
[ 46.605954][ T5487] ? __pfx_do_new_mount+0x10/0x10
[ 46.605960][ T5487] __se_sys_mount+0x2d6/0x3c0
[ 46.605966][ T5487] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 46.605975][ T5487] ? __pfx___se_sys_mount+0x10/0x10
[ 46.605981][ T5487] ? do_syscall_64+0x100/0x230
[ 46.605990][ T5487] ? __x64_sys_mount+0x20/0xc0
[ 46.605996][ T5487] do_syscall_64+0xf3/0x230
[ 46.606004][ T5487] ? clear_bhb_loop+0x35/0x90
[ 46.606012][ T5487] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 46.606020][ T5487] RIP: 0033:0x7fdac558e54a
[ 46.606026][ T5487] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 46.606031][ T5487] RSP: 002b:00007ffd40060898 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 46.606038][ T5487] RAX: ffffffffffffffda RBX: 00007fdac560e663 RCX: 00007fdac558e54a
[ 46.606043][ T5487] RDX: 00007fdac561dda7 RSI: 00007fdac560e663 RDI: 00007fdac561dda7
[ 46.606047][ T5487] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 46.606051][ T5487] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdac5628480
[ 46.606054][ T5487] R13: 00007ffd40060918 R14: 0000000000000009 R15: 0000000000000000
[ 46.606060][ T5487]
[ 46.606062][ T5487]
[ 46.684907][ T5487] Allocated by task 5304:
[ 46.686138][ T5487] kasan_save_track+0x3f/0x80
[ 46.687455][ T5487] __kasan_kmalloc+0x98/0xb0
[ 46.688787][ T5487] __kmalloc_cache_noprof+0x243/0x390
[ 46.690308][ T5487] binderfs_binder_device_create+0x16c/0x9c0
[ 46.691990][ T5487] binderfs_fill_super+0x944/0xd90
[ 46.693444][ T5487] get_tree_nodev+0xb7/0x140
[ 46.694767][ T5487] vfs_get_tree+0x90/0x2b0
[ 46.696031][ T5487] do_new_mount+0x2be/0xb40
[ 46.697307][ T5487] __se_sys_mount+0x2d6/0x3c0
[ 46.698648][ T5487] do_syscall_64+0xf3/0x230
[ 46.699954][ T5487] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 46.701600][ T5487]
[ 46.702300][ T5487] Freed by task 5304:
[ 46.703443][ T5487] kasan_save_track+0x3f/0x80
[ 46.704803][ T5487] kasan_save_free_info+0x40/0x50
[ 46.706203][ T5487] __kasan_slab_free+0x59/0x70
[ 46.707566][ T5487] kfree+0x196/0x430
[ 46.708665][ T5487] evict+0x4e8/0x9a0
[ 46.709763][ T5487] __dentry_kill+0x20d/0x630
[ 46.711063][ T5487] shrink_kill+0xa9/0x2c0
[ 46.712293][ T5487] shrink_dentry_list+0x2c0/0x5b0
[ 46.713720][ T5487] shrink_dcache_parent+0xcb/0x3b0
[ 46.715152][ T5487] do_one_tree+0x23/0xe0
[ 46.716382][ T5487] shrink_dcache_for_umount+0xb4/0x180
[ 46.717914][ T5487] generic_shutdown_super+0x6a/0x2d0
[ 46.719393][ T5487] kill_litter_super+0x76/0xb0
[ 46.720776][ T5487] binderfs_kill_super+0x44/0x90
[ 46.722176][ T5487] deactivate_locked_super+0xc4/0x130
[ 46.723680][ T5487] cleanup_mnt+0x41f/0x4b0
[ 46.724967][ T5487] task_work_run+0x24f/0x310
[ 46.726295][ T5487] do_exit+0xa2a/0x28e0
[ 46.727443][ T5487] do_group_exit+0x207/0x2c0
[ 46.728747][ T5487] get_signal+0x16b2/0x1750
[ 46.730039][ T5487] arch_do_signal_or_restart+0x96/0x860
[ 46.731574][ T5487] syscall_exit_to_user_mode+0xce/0x340
[ 46.733154][ T5487] do_syscall_64+0x100/0x230
[ 46.734485][ T5487] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 46.736163][ T5487]
[ 46.736848][ T5487] The buggy address belongs to the object at ffff88804722dc00
[ 46.736848][ T5487] which belongs to the cache kmalloc-512 of size 512
[ 46.740653][ T5487] The buggy address is located 8 bytes inside of
[ 46.740653][ T5487] freed 512-byte region [ffff88804722dc00, ffff88804722de00)
[ 46.744359][ T5487]
[ 46.745050][ T5487] The buggy address belongs to the physical page:
[ 46.746810][ T5487] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4722c
[ 46.749254][ T5487] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 46.751590][ T5487] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[ 46.753711][ T5487] page_type: f5(slab)
[ 46.754873][ T5487] raw: 04fff00000000040 ffff88801ac41c80 ffffea00010a7380 0000000000000004
[ 46.757255][ T5487] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[ 46.759655][ T5487] head: 04fff00000000040 ffff88801ac41c80 ffffea00010a7380 0000000000000004
[ 46.762078][ T5487] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[ 46.764506][ T5487] head: 04fff00000000001 ffffea00011c8b01 ffffffffffffffff 0000000000000000
[ 46.766877][ T5487] head: 0000000700000002 0000000000000000 00000000ffffffff 0000000000000000
[ 46.769316][ T5487] page dumped because: kasan: bad access detected
[ 46.771125][ T5487] page_owner tracks the page as allocated
[ 46.772725][ T5487] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5304, tgid 5304 (syz-executor), ts 45245546863, free_ts 45244199606
[ 46.778499][ T5487] post_alloc_hook+0x1f4/0x240
[ 46.779869][ T5487] get_page_from_freelist+0x365c/0x37a0
[ 46.781425][ T5487] __alloc_frozen_pages_noprof+0x292/0x710
[ 46.783059][ T5487] alloc_pages_mpol+0x311/0x660
[ 46.784435][ T5487] allocate_slab+0x8f/0x3a0
[ 46.785727][ T5487] ___slab_alloc+0xc27/0x14a0
[ 46.787070][ T5487] __slab_alloc+0x58/0xa0
[ 46.788318][ T5487] __kmalloc_cache_noprof+0x27b/0x390
[ 46.789813][ T5487] shmem_fill_super+0xcf/0x1110
[ 46.791185][ T5487] get_tree_nodev+0xb7/0x140
[ 46.792528][ T5487] vfs_get_tree+0x90/0x2b0
[ 46.793816][ T5487] do_new_mount+0x2be/0xb40
[ 46.795112][ T5487] __se_sys_mount+0x2d6/0x3c0
[ 46.796453][ T5487] do_syscall_64+0xf3/0x230
[ 46.797753][ T5487] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 46.799432][ T5487] page last free pid 5308 tgid 5308 stack trace:
[ 46.801208][ T5487] free_frozen_pages+0xe0d/0x10e0
[ 46.802656][ T5487] __mmdrop+0xb9/0x3d0
[ 46.803804][ T5487] finish_task_switch+0x304/0x870
[ 46.805235][ T5487] __schedule+0x1916/0x4c90
[ 46.806520][ T5487] preempt_schedule_common+0x84/0xd0
[ 46.808016][ T5487] preempt_schedule+0xe1/0xf0
[ 46.809351][ T5487] preempt_schedule_thunk+0x1a/0x30
[ 46.810820][ T5487] _raw_spin_unlock_irqrestore+0x130/0x140
[ 46.812463][ T5487] wake_up_new_task+0x81f/0xc70
[ 46.813833][ T5487] kernel_clone+0x4ee/0x8e0
[ 46.815101][ T5487] __x64_sys_clone+0x258/0x2a0
[ 46.816482][ T5487] do_syscall_64+0xf3/0x230
[ 46.817775][ T5487] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 46.819425][ T5487]
[ 46.820126][ T5487] Memory state around the buggy address:
[ 46.821711][ T5487] ffff88804722db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 46.823954][ T5487] ffff88804722db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 46.826174][ T5487] >ffff88804722dc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 46.828445][ T5487] ^
[ 46.829689][ T5487] ffff88804722dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 46.831947][ T5487] ffff88804722dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 46.834164][ T5487] ==================================================================
[ 46.888639][ T5488] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 47.028342][ T5487] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 47.030506][ T5487] CPU: 0 UID: 0 PID: 5487 Comm: syz-executor Not tainted 6.13.0-syzkaller-09196-gcd45f362fc1f #0
[ 47.033585][ T5487] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 47.036760][ T5487] Call Trace:
[ 47.037772][ T5487]
[ 47.038670][ T5487] dump_stack_lvl+0x241/0x360
[ 47.040090][ T5487] ? __pfx_dump_stack_lvl+0x10/0x10
[ 47.041647][ T5487] ? __pfx__printk+0x10/0x10
[ 47.043039][ T5487] ? preempt_schedule+0xe1/0xf0
[ 47.044527][ T5487] ? vscnprintf+0x5d/0x90
[ 47.045830][ T5487] panic+0x349/0x880
[ 47.047011][ T5487] ? check_panic_on_warn+0x21/0xb0
[ 47.048549][ T5487] ? __pfx_panic+0x10/0x10
[ 47.049905][ T5487] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 47.051680][ T5487] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 47.053579][ T5487] ? print_report+0x502/0x550
[ 47.054999][ T5487] check_panic_on_warn+0x86/0xb0
[ 47.056493][ T5487] ? binder_add_device+0x5f/0xa0
[ 47.057979][ T5487] end_report+0x77/0x160
[ 47.059256][ T5487] kasan_report+0x154/0x180
[ 47.060639][ T5487] ? binder_add_device+0x5f/0xa0
[ 47.062122][ T5487] binder_add_device+0x5f/0xa0
[ 47.063555][ T5487] binderfs_binder_device_create+0x7bf/0x9c0
[ 47.065358][ T5487] binderfs_fill_super+0x944/0xd90
[ 47.066891][ T5487] ? __pfx_binderfs_fill_super+0x10/0x10
[ 47.068567][ T5487] ? shrinker_register+0x160/0x230
[ 47.070106][ T5487] ? sget_fc+0x909/0x9c0
[ 47.071383][ T5487] ? __pfx_set_anon_super_fc+0x10/0x10
[ 47.073017][ T5487] ? __pfx_binderfs_fill_super+0x10/0x10
[ 47.074688][ T5487] get_tree_nodev+0xb7/0x140
[ 47.076096][ T5487] vfs_get_tree+0x90/0x2b0
[ 47.077440][ T5487] do_new_mount+0x2be/0xb40
[ 47.078812][ T5487] ? __pfx_do_new_mount+0x10/0x10
[ 47.080328][ T5487] __se_sys_mount+0x2d6/0x3c0
[ 47.081744][ T5487] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 47.083526][ T5487] ? __pfx___se_sys_mount+0x10/0x10
[ 47.085093][ T5487] ? do_syscall_64+0x100/0x230
[ 47.086528][ T5487] ? __x64_sys_mount+0x20/0xc0
[ 47.087974][ T5487] do_syscall_64+0xf3/0x230
[ 47.089337][ T5487] ? clear_bhb_loop+0x35/0x90
[ 47.090755][ T5487] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 47.092522][ T5487] RIP: 0033:0x7fdac558e54a
[ 47.093878][ T5487] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 47.099553][ T5487] RSP: 002b:00007ffd40060898 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 47.102019][ T5487] RAX: ffffffffffffffda RBX: 00007fdac560e663 RCX: 00007fdac558e54a
[ 47.104385][ T5487] RDX: 00007fdac561dda7 RSI: 00007fdac560e663 RDI: 00007fdac561dda7
[ 47.106724][ T5487] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 47.109068][ T5487] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdac5628480
[ 47.111409][ T5487] R13: 00007ffd40060918 R14: 0000000000000009 R15: 0000000000000000
[ 47.113768][ T5487]
[ 47.115261][ T5487] Kernel Offset: disabled
[ 47.116585][ T5487] Rebooting in 86400 seconds..
VM DIAGNOSIS:
21:25:32 Registers:
info registers vcpu 0
CPU#0
RAX=0000000000000064 RBX=ffffffff9a74c0e0 RCX=0000000000000000 RDX=00000000000003f8
RSI=0000000000000000 RDI=0000000000000020 RBP=0000000000000000 RSP=ffffc9000d3a71d0
R8 =ffffffff8576bc8b R9 =1ffff11003e0f046 R10=dffffc0000000000 R11=ffffffff8576bc40
R12=dffffc0000000000 R13=0000000000000064 R14=0000000000000064 R15=00000000000003f8
RIP=ffffffff8576bcbe RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000555577612500 ffffffff 00c00000
GS =0000 ffff88801fc00000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT= fffffe0000001000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=00007fdac545a710 CR3=000000004053a000 CR4=00352ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
Opmask00=00000000ffffff80 Opmask01=000000000000000f Opmask02=00000000ffffffef Opmask03=0000000000000000
Opmask04=0000000000000000 Opmask05=0000000000000000 Opmask06=0000000000000000 Opmask07=0000000000000000
ZMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007ffd400608b0 0000003000000010
ZMM02=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM03=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM04=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM05=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM06=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM07=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM08=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM16=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM17=0000000000000000 0000000000000000 0000000000000000 0000000000000000 2525252525252525 2525252525252525 2525252525252525 2525252525252525
ZMM18=0000000000000000 0000000000000000 0000000000000000 0000000000000000 6573726170206f74 2064656c69616600 277325273d727473 0035333535362030
ZMM19=0000000000000000 0000000000000000 0000000000000000 0000000000000000 4056574455054a51 054140494c444300 0256000218575156 0010161010130515
ZMM20=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM21=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM22=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM23=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM24=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM25=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM26=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM27=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM28=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM29=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM30=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM31=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000