last executing test programs: 5.862358989s ago: executing program 0 (id=1): ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000000)) 5.689255411s ago: executing program 1 (id=2): close(0xffffffffffffffff) 4.581865589s ago: executing program 0 (id=3): mmap(0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) 3.159823846s ago: executing program 0 (id=5): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm', 0x800, 0x0) 1.20538137s ago: executing program 0 (id=6): munmap(0x0, 0x0) 0s ago: executing program 0 (id=7): write(0xffffffffffffffff, &(0x7f0000000000), 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:31343' (ED25519) to the list of known hosts. [ 495.712188][ T24] audit: type=1400 audit(495.140:64): avc: denied { name_bind } for pid=3282 comm="sshd" src=30001 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 497.421109][ T24] audit: type=1400 audit(496.850:65): avc: denied { execute } for pid=3284 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 497.480719][ T24] audit: type=1400 audit(496.870:66): avc: denied { execute_no_trans } for pid=3284 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 519.034514][ T24] audit: type=1400 audit(518.460:67): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1737 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 519.068571][ T24] audit: type=1400 audit(518.500:68): avc: denied { mount } for pid=3284 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 519.143022][ T3284] cgroup: Unknown subsys name 'net' [ 519.186912][ T24] audit: type=1400 audit(518.620:69): avc: denied { unmount } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 519.572051][ T3284] cgroup: Unknown subsys name 'cpuset' [ 519.660421][ T3284] cgroup: Unknown subsys name 'rlimit' [ 520.583634][ T24] audit: type=1400 audit(520.010:70): avc: denied { setattr } for pid=3284 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 520.613196][ T24] audit: type=1400 audit(520.040:71): avc: denied { create } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 520.634351][ T24] audit: type=1400 audit(520.060:72): avc: denied { write } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 520.655449][ T24] audit: type=1400 audit(520.090:73): avc: denied { module_request } for pid=3284 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 521.088387][ T24] audit: type=1400 audit(520.520:74): avc: denied { read } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 521.141253][ T24] audit: type=1400 audit(520.570:75): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 521.167429][ T24] audit: type=1400 audit(520.600:76): avc: denied { mount } for pid=3284 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 522.138680][ T3288] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 522.368564][ T3284] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 559.901105][ T24] kauditd_printk_skb: 4 callbacks suppressed [ 559.901378][ T24] audit: type=1400 audit(559.270:81): avc: denied { execmem } for pid=3289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 560.405411][ T24] audit: type=1400 audit(559.780:82): avc: denied { read } for pid=3291 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 560.408135][ T24] audit: type=1400 audit(559.830:83): avc: denied { open } for pid=3291 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 560.600356][ T24] audit: type=1400 audit(559.980:84): avc: denied { mounton } for pid=3291 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 563.885786][ T24] audit: type=1400 audit(563.320:85): avc: denied { mount } for pid=3291 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 564.011250][ T24] audit: type=1400 audit(563.440:86): avc: denied { mounton } for pid=3291 comm="syz-executor" path="/syzkaller.Kto8EB/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 564.077930][ T24] audit: type=1400 audit(563.510:87): avc: denied { mount } for pid=3291 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 564.215299][ T24] audit: type=1400 audit(563.650:88): avc: denied { mounton } for pid=3291 comm="syz-executor" path="/syzkaller.Kto8EB/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 564.266600][ T24] audit: type=1400 audit(563.700:89): avc: denied { mounton } for pid=3292 comm="syz-executor" path="/syzkaller.59CKD0/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2877 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 564.367840][ T24] audit: type=1400 audit(563.790:90): avc: denied { unmount } for pid=3292 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 568.523161][ T24] kauditd_printk_skb: 8 callbacks suppressed [ 568.523474][ T24] audit: type=1400 audit(567.950:99): avc: denied { read } for pid=3299 comm="syz.0.5" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 568.642646][ T24] audit: type=1400 audit(568.060:100): avc: denied { open } for pid=3299 comm="syz.0.5" path="/dev/kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 568.711262][ T24] audit: type=1400 audit(568.130:101): avc: denied { write } for pid=3299 comm="syz.0.5" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 575.664047][ T3301] ================================================================== [ 575.666667][ T3301] BUG: KASAN: slab-use-after-free in binder_add_device+0xf4/0xf8 [ 575.669247][ T3301] Write of size 8 at addr 05f0000013238208 by task syz-executor/3301 [ 575.670794][ T3301] Pointer tag: [05], memory tag: [89] [ 575.671793][ T3301] [ 575.673212][ T3301] CPU: 0 UID: 0 PID: 3301 Comm: syz-executor Not tainted 6.14.0-rc2-syzkaller-g29281a76709c #0 [ 575.673721][ T3301] Hardware name: linux,dummy-virt (DT) [ 575.674148][ T3301] Call trace: [ 575.674474][ T3301] show_stack+0x2c/0x3c (C) [ 575.675042][ T3301] __dump_stack+0x30/0x40 [ 575.675398][ T3301] dump_stack_lvl+0xd8/0x12c [ 575.675707][ T3301] print_address_description+0xac/0x290 [ 575.675947][ T3301] print_report+0x84/0xa0 [ 575.676164][ T3301] kasan_report+0xb0/0x110 [ 575.676414][ T3301] kasan_tag_mismatch+0x28/0x3c [ 575.676624][ T3301] __hwasan_tag_mismatch+0x30/0x60 [ 575.676830][ T3301] binder_add_device+0xf4/0xf8 [ 575.677016][ T3301] binderfs_binder_device_create+0xbfc/0xc28 [ 575.677206][ T3301] binderfs_fill_super+0xb30/0xe20 [ 575.677389][ T3301] get_tree_nodev+0xdc/0x1cc [ 575.677671][ T3301] binderfs_fs_context_get_tree+0x28/0x38 [ 575.677861][ T3301] vfs_get_tree+0xc4/0x3cc [ 575.678107][ T3301] do_new_mount+0x2a0/0x988 [ 575.678347][ T3301] path_mount+0x650/0x101c [ 575.678615][ T3301] __arm64_sys_mount+0x36c/0x468 [ 575.678867][ T3301] invoke_syscall+0x90/0x2b4 [ 575.679111][ T3301] el0_svc_common+0x180/0x2f4 [ 575.679387][ T3301] do_el0_svc+0x58/0x74 [ 575.679655][ T3301] el0_svc+0x58/0x134 [ 575.679836][ T3301] el0t_64_sync_handler+0x78/0x108 [ 575.680017][ T3301] el0t_64_sync+0x198/0x19c [ 575.680509][ T3301] [ 575.697706][ T3301] Allocated by task 3291: [ 575.698704][ T3301] kasan_save_stack+0x40/0x6c [ 575.699736][ T3301] save_stack_info+0x30/0x138 [ 575.700597][ T3301] kasan_save_alloc_info+0x14/0x20 [ 575.701524][ T3301] __kasan_kmalloc+0x8c/0x90 [ 575.702433][ T3301] __kmalloc_cache_noprof+0x2a0/0x404 [ 575.703456][ T3301] binderfs_binder_device_create+0x1ac/0xc28 [ 575.704444][ T3301] binderfs_fill_super+0xb30/0xe20 [ 575.705373][ T3301] get_tree_nodev+0xdc/0x1cc [ 575.706304][ T3301] binderfs_fs_context_get_tree+0x28/0x38 [ 575.707264][ T3301] vfs_get_tree+0xc4/0x3cc [ 575.708221][ T3301] do_new_mount+0x2a0/0x988 [ 575.709176][ T3301] path_mount+0x650/0x101c [ 575.710107][ T3301] __arm64_sys_mount+0x36c/0x468 [ 575.711029][ T3301] invoke_syscall+0x90/0x2b4 [ 575.712016][ T3301] el0_svc_common+0x180/0x2f4 [ 575.712884][ T3301] do_el0_svc+0x58/0x74 [ 575.713796][ T3301] el0_svc+0x58/0x134 [ 575.714613][ T3301] el0t_64_sync_handler+0x78/0x108 [ 575.715530][ T3301] el0t_64_sync+0x198/0x19c [ 575.716408][ T3301] [ 575.717016][ T3301] Freed by task 3291: [ 575.717741][ T3301] kasan_save_stack+0x40/0x6c [ 575.718663][ T3301] save_stack_info+0x30/0x138 [ 575.719544][ T3301] kasan_save_free_info+0x18/0x24 [ 575.720407][ T3301] __kasan_slab_free+0x64/0x68 [ 575.721323][ T3301] kfree+0x148/0x44c [ 575.722190][ T3301] binderfs_evict_inode+0x1e8/0x2b8 [ 575.723102][ T3301] evict+0x4d4/0xbe8 [ 575.723888][ T3301] iput+0x928/0x9e0 [ 575.724759][ T3301] dentry_unlink_inode+0x624/0x660 [ 575.725637][ T3301] __dentry_kill+0x224/0x808 [ 575.726521][ T3301] shrink_kill+0xd4/0x2cc [ 575.727341][ T3301] shrink_dentry_list+0x420/0x970 [ 575.728276][ T3301] shrink_dcache_parent+0x80/0x200 [ 575.729237][ T3301] do_one_tree+0x2c/0x148 [ 575.730114][ T3301] shrink_dcache_for_umount+0xb0/0x198 [ 575.731058][ T3301] generic_shutdown_super+0x84/0x424 [ 575.732034][ T3301] kill_litter_super+0xa4/0xdc [ 575.732949][ T3301] binderfs_kill_super+0x50/0xcc [ 575.733818][ T3301] deactivate_locked_super+0xf0/0x17c [ 575.734691][ T3301] deactivate_super+0xf4/0x104 [ 575.735646][ T3301] cleanup_mnt+0x3fc/0x484 [ 575.736518][ T3301] __cleanup_mnt+0x20/0x30 [ 575.737415][ T3301] task_work_run+0x1bc/0x254 [ 575.738345][ T3301] do_exit+0x740/0x23b0 [ 575.739182][ T3301] do_group_exit+0x1d4/0x2ac [ 575.740078][ T3301] get_signal+0x1440/0x1554 [ 575.740936][ T3301] do_signal+0x23c/0x3ecc [ 575.741816][ T3301] do_notify_resume+0x78/0x27c [ 575.742706][ T3301] el0_svc+0xb0/0x134 [ 575.743474][ T3301] el0t_64_sync_handler+0x78/0x108 [ 575.744353][ T3301] el0t_64_sync+0x198/0x19c [ 575.745221][ T3301] [ 575.745844][ T3301] The buggy address belongs to the object at fff0000013238200 [ 575.745844][ T3301] which belongs to the cache kmalloc-512 of size 512 [ 575.747307][ T3301] The buggy address is located 8 bytes inside of [ 575.747307][ T3301] 288-byte region [fff0000013238200, fff0000013238320) [ 575.748854][ T3301] [ 575.749534][ T3301] The buggy address belongs to the physical page: [ 575.750732][ T3301] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53238 [ 575.752203][ T3301] anon flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 575.753811][ T3301] page_type: f5(slab) [ 575.755136][ T3301] raw: 01ffc00000000000 a7f000000c801900 ffffc1ffc04c7a00 0000000000000005 [ 575.756346][ T3301] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 575.757599][ T3301] page dumped because: kasan: bad access detected [ 575.758530][ T3301] [ 575.759140][ T3301] Memory state around the buggy address: [ 575.760292][ T3301] fff0000013238000: 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 [ 575.761482][ T3301] fff0000013238100: 38 38 38 38 fe fe fe fe fe fe fe fe fe fe fe fe [ 575.762616][ T3301] >fff0000013238200: 89 89 89 89 89 89 89 89 89 89 89 89 89 89 89 89 [ 575.763728][ T3301] ^ [ 575.764643][ T3301] fff0000013238300: 89 89 fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 575.765760][ T3301] fff0000013238400: 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 [ 575.766910][ T3301] ================================================================== SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 576.287203][ T3301] Disabling lock debugging due to kernel taint [ 576.344507][ T24] audit: type=1400 audit(575.780:102): avc: denied { mount } for pid=3301 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 VM DIAGNOSIS: 00:55:15 Registers: info registers vcpu 0 CPU#0 PC=ffff80008046f80c X00=0000000000000000 X01=0000000000000080 X02=0000000000000001 X03=ffff800080448c48 X04=0000000000000001 X05=0000000000000000 X06=ffff80008046a4b4 X07=ffff800080d9cffc X08=16f00000140b3a80 X09=0000000000000000 X10=0000000000ff0100 X11=0000000100000002 X12=0fff00000140b3a8 X13=0000000000000007 X14=0000000000000000 X15=0000000000000016 X16=0000000000000089 X17=0000000000000005 X18=0000000000000016 X19=00000000000000ff X20=ffff80008789f410 X21=00000000000000c0 X22=efff800000000000 X23=00000000000000c0 X24=ffff80008789f3b8 X25=ffff80008789f418 X26=0000000000000016 X27=ffff80008f0f74f4 X28=0000000000000080 X29=ffff80008f0f7480 X30=ffff80008046f808 SP=ffff80008f0f7400 PSTATE=814020c9 N--- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000 Z05=0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000