last executing test programs:
819.029043ms ago: executing program 0 (id=140):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/mixer', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/mixer', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/mixer', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/mixer', 0x800, 0x0)
764.094728ms ago: executing program 5 (id=143):
socket(0x1e, 0x2, 0x0)
763.646918ms ago: executing program 0 (id=145):
uname(&(0x7f0000000000))
763.447835ms ago: executing program 2 (id=147):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/access', 0x2, 0x0)
759.281514ms ago: executing program 4 (id=148):
syz_open_dev$cec(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$cec(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$cec(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$cec(&(0x7f0000000100), 0x0, 0x800)
755.078686ms ago: executing program 5 (id=149):
readlink(&(0x7f0000000000), &(0x7f0000000000), 0x0)
699.779325ms ago: executing program 0 (id=151):
syz_open_dev$hiddev(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$hiddev(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$hiddev(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$hiddev(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$hiddev(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$hiddev(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$hiddev(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$hiddev(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$hiddev(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$hiddev(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$hiddev(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$hiddev(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$hiddev(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$hiddev(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$hiddev(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$hiddev(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$hiddev(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$hiddev(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$hiddev(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$hiddev(&(0x7f0000000500), 0x4, 0x800)
699.640398ms ago: executing program 2 (id=153):
tkill(0x0, 0x0)
699.362647ms ago: executing program 4 (id=155):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/binder/failed_transaction_log', 0x0, 0x0)
699.26474ms ago: executing program 2 (id=156):
getgroups(0x0, &(0x7f0000000000))
692.805342ms ago: executing program 5 (id=157):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/damon/monitor_on', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/debug/damon/monitor_on', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/kernel/debug/damon/monitor_on', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/sys/kernel/debug/damon/monitor_on', 0x800, 0x0)
628.037429ms ago: executing program 0 (id=159):
poll(&(0x7f0000000000), 0x0, 0x0)
627.896486ms ago: executing program 2 (id=160):
socket$l2tp6(0xa, 0x2, 0x73)
627.810927ms ago: executing program 4 (id=161):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/socket/zygote', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/socket/zygote', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/socket/zygote', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/socket/zygote', 0x800, 0x0)
627.62826ms ago: executing program 5 (id=164):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/userio', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/userio', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/userio', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/userio', 0x800, 0x0)
625.968622ms ago: executing program 4 (id=166):
sched_rr_get_interval(0x0, &(0x7f0000000000))
622.888576ms ago: executing program 0 (id=167):
rt_sigqueueinfo(0x0, 0x0, &(0x7f0000000000))
595.331834ms ago: executing program 2 (id=168):
request_key(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0)
551.952139ms ago: executing program 5 (id=169):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nmem0', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/nmem0', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/nmem0', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/nmem0', 0x800, 0x0)
551.602414ms ago: executing program 4 (id=172):
pkey_free(0xffffffffffffffff)
551.438431ms ago: executing program 0 (id=173):
timerfd_create(0x0, 0x0)
547.248201ms ago: executing program 2 (id=175):
socket$pppoe(0x18, 0x1, 0x0)
546.832132ms ago: executing program 5 (id=176):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/tty', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/tty', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/tty', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/tty', 0x800, 0x0)
540.276849ms ago: executing program 4 (id=177):
fsync(0xffffffffffffffff)
491.887313ms ago: executing program 1 (id=178):
syz_open_dev$audion(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$audion(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$audion(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$audion(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$audion(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$audion(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$audion(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$audion(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$audion(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$audion(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$audion(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$audion(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$audion(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$audion(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$audion(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$audion(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$audion(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$audion(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$audion(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$audion(&(0x7f0000000500), 0x4, 0x800)
443.085514ms ago: executing program 3 (id=182):
timer_settime(0x0, 0x0, &(0x7f0000000000), 0x0)
381.852882ms ago: executing program 3 (id=184):
epoll_wait(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)
316.016494ms ago: executing program 3 (id=185):
rt_sigpending(&(0x7f0000000000), 0x0)
315.703041ms ago: executing program 3 (id=186):
socket$inet_icmp(0x2, 0x2, 0x1)
255.508334ms ago: executing program 3 (id=187):
openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/mm/transparent_hugepage/khugepaged/scan_sleep_millisecs', 0x1, 0x0)
234.012214ms ago: executing program 3 (id=188):
syz_open_dev$sndpcmc(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$sndpcmc(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$sndpcmc(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$sndpcmc(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$sndpcmc(&(0x7f0000000140), 0xa, 0x0)
syz_open_dev$sndpcmc(&(0x7f0000000180), 0xa, 0x1)
syz_open_dev$sndpcmc(&(0x7f00000001c0), 0xa, 0x2)
syz_open_dev$sndpcmc(&(0x7f0000000200), 0xa, 0x800)
syz_open_dev$sndpcmc(&(0x7f0000000240), 0x14, 0x0)
syz_open_dev$sndpcmc(&(0x7f0000000280), 0x14, 0x1)
syz_open_dev$sndpcmc(&(0x7f00000002c0), 0x14, 0x2)
syz_open_dev$sndpcmc(&(0x7f0000000300), 0x14, 0x800)
syz_open_dev$sndpcmc(&(0x7f0000000340), 0x1e, 0x0)
syz_open_dev$sndpcmc(&(0x7f0000000380), 0x1e, 0x1)
syz_open_dev$sndpcmc(&(0x7f00000003c0), 0x1e, 0x2)
syz_open_dev$sndpcmc(&(0x7f0000000400), 0x1e, 0x800)
syz_open_dev$sndpcmc(&(0x7f0000000440), 0x28, 0x0)
syz_open_dev$sndpcmc(&(0x7f0000000480), 0x28, 0x1)
syz_open_dev$sndpcmc(&(0x7f00000004c0), 0x28, 0x2)
syz_open_dev$sndpcmc(&(0x7f0000000500), 0x28, 0x800)
163.980599ms ago: executing program 1 (id=190):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhost-net', 0x2, 0x0)
115.642828ms ago: executing program 1 (id=191):
userfaultfd(0x0)
84.989253ms ago: executing program 1 (id=192):
flock(0xffffffffffffffff, 0x0)
98.612µs ago: executing program 1 (id=193):
utimes(&(0x7f0000000000), &(0x7f0000000000))
0s ago: executing program 1 (id=194):
pselect6(0x0, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000))
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.90' (ED25519) to the list of known hosts.
[ 84.461208][ T5825] cgroup: Unknown subsys name 'net'
[ 84.634624][ T5825] cgroup: Unknown subsys name 'cpuset'
[ 84.643433][ T5825] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 86.176941][ T5825] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 90.407102][ T6054] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 90.418002][ T6035] ==================================================================
[ 90.426172][ T6035] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[ 90.434012][ T6035] Write of size 8 at addr ffff88803306a008 by task syz-executor/6035
[ 90.442087][ T6035]
[ 90.444413][ T6035] CPU: 1 UID: 0 PID: 6035 Comm: syz-executor Not tainted 6.13.0-syzkaller-09338-g05dbaf8dd8bf #0
[ 90.444452][ T6035] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 90.444472][ T6035] Call Trace:
[ 90.444482][ T6035]
[ 90.444495][ T6035] dump_stack_lvl+0x116/0x1f0
[ 90.444539][ T6035] print_report+0xc3/0x620
[ 90.444595][ T6035] ? srso_alias_return_thunk+0x5/0xfbef5
[ 90.444653][ T6035] ? srso_alias_return_thunk+0x5/0xfbef5
[ 90.444710][ T6035] ? __phys_addr+0xc6/0x150
[ 90.444747][ T6035] kasan_report+0xd9/0x110
[ 90.444802][ T6035] ? binder_add_device+0xa4/0xb0
[ 90.444844][ T6035] ? binder_add_device+0xa4/0xb0
[ 90.444887][ T6035] binder_add_device+0xa4/0xb0
[ 90.444925][ T6035] binderfs_binder_device_create.isra.0+0x95f/0xb70
[ 90.444986][ T6035] binderfs_fill_super+0x8d6/0x1360
[ 90.445039][ T6035] ? __pfx_binderfs_fill_super+0x10/0x10
[ 90.445088][ T6035] ? srso_alias_return_thunk+0x5/0xfbef5
[ 90.445159][ T6035] ? shrinker_register+0x1a8/0x260
[ 90.445205][ T6035] ? srso_alias_return_thunk+0x5/0xfbef5
[ 90.445263][ T6035] ? sget_fc+0x808/0xc20
[ 90.445308][ T6035] ? apparmor_capable+0x114/0x1d0
[ 90.445365][ T6035] ? __pfx_set_anon_super_fc+0x10/0x10
[ 90.445409][ T6035] ? __pfx_binderfs_fill_super+0x10/0x10
[ 90.445458][ T6035] get_tree_nodev+0xdd/0x190
[ 90.445506][ T6035] vfs_get_tree+0x8e/0x340
[ 90.445546][ T6035] path_mount+0x14e6/0x1f10
[ 90.445602][ T6035] ? srso_alias_return_thunk+0x5/0xfbef5
[ 90.445659][ T6035] ? kmem_cache_free+0x2e2/0x4d0
[ 90.445711][ T6035] ? __pfx_path_mount+0x10/0x10
[ 90.445768][ T6035] ? srso_alias_return_thunk+0x5/0xfbef5
[ 90.445826][ T6035] ? putname+0x13c/0x180
[ 90.445860][ T6035] __x64_sys_mount+0x28f/0x310
[ 90.445917][ T6035] ? __pfx___x64_sys_mount+0x10/0x10
[ 90.445983][ T6035] do_syscall_64+0xcd/0x250
[ 90.446028][ T6035] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 90.446078][ T6035] RIP: 0033:0x7fbf0b78e54a
[ 90.446103][ T6035] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 90.446136][ T6035] RSP: 002b:00007ffe9a9eb568 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 90.446167][ T6035] RAX: ffffffffffffffda RBX: 00007fbf0b80e663 RCX: 00007fbf0b78e54a
[ 90.446190][ T6035] RDX: 00007fbf0b81dda7 RSI: 00007fbf0b80e663 RDI: 00007fbf0b81dda7
[ 90.446212][ T6035] RBP: 00007fbf0b80e8ac R08: 0000000000000000 R09: 00000000000001ff
[ 90.446234][ T6035] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbf0b7eb1a8
[ 90.446255][ T6035] R13: 00007fbf0b7eb180 R14: 0000000000000009 R15: 0000000000000000
[ 90.446286][ T6035]
[ 90.446297][ T6035]
[ 90.707673][ T6035] Allocated by task 5842:
[ 90.712031][ T6035] kasan_save_stack+0x33/0x60
[ 90.716745][ T6035] kasan_save_track+0x14/0x30
[ 90.721452][ T6035] __kasan_kmalloc+0xaa/0xb0
[ 90.726070][ T6035] binderfs_binder_device_create.isra.0+0x17a/0xb70
[ 90.732691][ T6035] binderfs_fill_super+0x8d6/0x1360
[ 90.737916][ T6035] get_tree_nodev+0xdd/0x190
[ 90.742539][ T6035] vfs_get_tree+0x8e/0x340
[ 90.746975][ T6035] path_mount+0x14e6/0x1f10
[ 90.751522][ T6035] __x64_sys_mount+0x28f/0x310
[ 90.756324][ T6035] do_syscall_64+0xcd/0x250
[ 90.760848][ T6035] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 90.766771][ T6035]
[ 90.769094][ T6035] Freed by task 5842:
[ 90.773075][ T6035] kasan_save_stack+0x33/0x60
[ 90.777784][ T6035] kasan_save_track+0x14/0x30
[ 90.782492][ T6035] kasan_save_free_info+0x3b/0x60
[ 90.787537][ T6035] __kasan_slab_free+0x51/0x70
[ 90.792333][ T6035] kfree+0x2c4/0x4d0
[ 90.796275][ T6035] binderfs_evict_inode+0x1e0/0x250
[ 90.801502][ T6035] evict+0x40c/0x960
[ 90.805410][ T6035] iput+0x52a/0x890
[ 90.809228][ T6035] dentry_unlink_inode+0x29c/0x480
[ 90.814355][ T6035] __dentry_kill+0x1d0/0x600
[ 90.818956][ T6035] shrink_dentry_list+0x140/0x5d0
[ 90.824008][ T6035] shrink_dcache_parent+0xe2/0x530
[ 90.829141][ T6035] shrink_dcache_for_umount+0xa1/0x3e0
[ 90.834622][ T6035] generic_shutdown_super+0x6c/0x390
[ 90.839931][ T6035] kill_litter_super+0x70/0xa0
[ 90.844731][ T6035] binderfs_kill_super+0x3b/0xa0
[ 90.849694][ T6035] deactivate_locked_super+0xc1/0x1a0
[ 90.855095][ T6035] deactivate_super+0xde/0x100
[ 90.859882][ T6035] cleanup_mnt+0x222/0x450
[ 90.864326][ T6035] task_work_run+0x151/0x250
[ 90.868942][ T6035] do_exit+0xad8/0x2d70
[ 90.873117][ T6035] do_group_exit+0xd3/0x2a0
[ 90.877638][ T6035] get_signal+0x24ed/0x26c0
[ 90.882176][ T6035] arch_do_signal_or_restart+0x90/0x7e0
[ 90.887745][ T6035] syscall_exit_to_user_mode+0x150/0x2a0
[ 90.893401][ T6035] do_syscall_64+0xda/0x250
[ 90.897926][ T6035] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 90.903857][ T6035]
[ 90.906179][ T6035] The buggy address belongs to the object at ffff88803306a000
[ 90.906179][ T6035] which belongs to the cache kmalloc-512 of size 512
[ 90.920243][ T6035] The buggy address is located 8 bytes inside of
[ 90.920243][ T6035] freed 512-byte region [ffff88803306a000, ffff88803306a200)
[ 90.933879][ T6035]
[ 90.936201][ T6035] The buggy address belongs to the physical page:
[ 90.942698][ T6035] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33068
[ 90.951466][ T6035] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 90.959973][ T6035] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 90.967531][ T6035] page_type: f5(slab)
[ 90.971526][ T6035] raw: 00fff00000000040 ffff88801b041c80 ffffea000083a500 dead000000000002
[ 90.980125][ T6035] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 90.988722][ T6035] head: 00fff00000000040 ffff88801b041c80 ffffea000083a500 dead000000000002
[ 90.997405][ T6035] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 91.006091][ T6035] head: 00fff00000000002 ffffea0000cc1a01 ffffffffffffffff 0000000000000000
[ 91.015035][ T6035] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 91.023706][ T6035] page dumped because: kasan: bad access detected
[ 91.030121][ T6035] page_owner tracks the page as allocated
[ 91.035920][ T6035] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5210, tgid 5210 (udevd), ts 40717206829, free_ts 40699259854
[ 91.056704][ T6035] post_alloc_hook+0x181/0x1b0
[ 91.061500][ T6035] get_page_from_freelist+0xfce/0x2f80
[ 91.067002][ T6035] __alloc_frozen_pages_noprof+0x221/0x2470
[ 91.072935][ T6035] alloc_pages_mpol+0x1fc/0x540
[ 91.077826][ T6035] new_slab+0x23d/0x330
[ 91.082010][ T6035] ___slab_alloc+0xc5d/0x1720
[ 91.086711][ T6035] __slab_alloc.constprop.0+0x56/0xb0
[ 91.092112][ T6035] __kmalloc_cache_noprof+0xfa/0x410
[ 91.097430][ T6035] kernfs_fop_open+0x28b/0xdb0
[ 91.102297][ T6035] do_dentry_open+0x738/0x1c40
[ 91.107089][ T6035] vfs_open+0x82/0x3f0
[ 91.111170][ T6035] path_openat+0x1e88/0x2d80
[ 91.115794][ T6035] do_filp_open+0x20c/0x470
[ 91.120325][ T6035] do_sys_openat2+0x17a/0x1e0
[ 91.125024][ T6035] __x64_sys_openat+0x175/0x210
[ 91.129891][ T6035] do_syscall_64+0xcd/0x250
[ 91.134505][ T6035] page last free pid 5212 tgid 5212 stack trace:
[ 91.140835][ T6035] free_frozen_pages+0x6db/0xfb0
[ 91.145804][ T6035] qlist_free_all+0x4e/0x120
[ 91.150419][ T6035] kasan_quarantine_reduce+0x195/0x1e0
[ 91.155910][ T6035] __kasan_slab_alloc+0x69/0x90
[ 91.161018][ T6035] __kmalloc_node_noprof+0x1d0/0x510
[ 91.166338][ T6035] __kvmalloc_node_noprof+0xad/0x1a0
[ 91.171652][ T6035] seq_read_iter+0x82a/0x12b0
[ 91.176354][ T6035] kernfs_fop_read_iter+0x414/0x580
[ 91.181567][ T6035] vfs_read+0x889/0xbf0
[ 91.185747][ T6035] ksys_read+0x12b/0x250
[ 91.190018][ T6035] do_syscall_64+0xcd/0x250
[ 91.194717][ T6035] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 91.200638][ T6035]
[ 91.202962][ T6035] Memory state around the buggy address:
[ 91.208595][ T6035] ffff888033069f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 91.216687][ T6035] ffff888033069f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 91.224758][ T6035] >ffff88803306a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 91.232909][ T6035] ^
[ 91.237238][ T6035] ffff88803306a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 91.245308][ T6035] ffff88803306a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 91.253493][ T6035] ==================================================================
[ 91.261746][ T6038] ==================================================================
[ 91.269837][ T6038] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[ 91.277601][ T6038] Write of size 8 at addr ffff88803306a008 by task syz-executor/6038
[ 91.285692][ T6038]
[ 91.288028][ T6038] CPU: 0 UID: 0 PID: 6038 Comm: syz-executor Not tainted 6.13.0-syzkaller-09338-g05dbaf8dd8bf #0
[ 91.288074][ T6038] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 91.288097][ T6038] Call Trace:
[ 91.288108][ T6038]
[ 91.288121][ T6038] dump_stack_lvl+0x116/0x1f0
[ 91.288171][ T6038] print_report+0xc3/0x620
[ 91.288233][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 91.288304][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 91.288366][ T6038] ? __phys_addr+0xc6/0x150
[ 91.288407][ T6038] kasan_report+0xd9/0x110
[ 91.288469][ T6038] ? binder_add_device+0xa4/0xb0
[ 91.288514][ T6038] ? binder_add_device+0xa4/0xb0
[ 91.288561][ T6038] binder_add_device+0xa4/0xb0
[ 91.288604][ T6038] binderfs_binder_device_create.isra.0+0x95f/0xb70
[ 91.288667][ T6038] binderfs_fill_super+0x8d6/0x1360
[ 91.288725][ T6038] ? __pfx_binderfs_fill_super+0x10/0x10
[ 91.288779][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 91.288858][ T6038] ? shrinker_register+0x1a8/0x260
[ 91.288909][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 91.288972][ T6038] ? sget_fc+0x808/0xc20
[ 91.289022][ T6038] ? apparmor_capable+0x114/0x1d0
[ 91.289084][ T6038] ? __pfx_set_anon_super_fc+0x10/0x10
[ 91.289133][ T6038] ? __pfx_binderfs_fill_super+0x10/0x10
[ 91.289186][ T6038] get_tree_nodev+0xdd/0x190
[ 91.289246][ T6038] vfs_get_tree+0x8e/0x340
[ 91.289288][ T6038] path_mount+0x14e6/0x1f10
[ 91.289349][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 91.289411][ T6038] ? kmem_cache_free+0x2e2/0x4d0
[ 91.289468][ T6038] ? __pfx_path_mount+0x10/0x10
[ 91.289532][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 91.289595][ T6038] ? putname+0x13c/0x180
[ 91.289633][ T6038] __x64_sys_mount+0x28f/0x310
[ 91.289694][ T6038] ? __pfx___x64_sys_mount+0x10/0x10
[ 91.289764][ T6038] do_syscall_64+0xcd/0x250
[ 91.289813][ T6038] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 91.289868][ T6038] RIP: 0033:0x7fd1a8f8e54a
[ 91.289896][ T6038] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 91.289932][ T6038] RSP: 002b:00007fff70aab0b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 91.289966][ T6038] RAX: ffffffffffffffda RBX: 00007fd1a900e663 RCX: 00007fd1a8f8e54a
[ 91.289992][ T6038] RDX: 00007fd1a901dda7 RSI: 00007fd1a900e663 RDI: 00007fd1a901dda7
[ 91.290017][ T6038] RBP: 00007fd1a900e8ac R08: 0000000000000000 R09: 00000000000001ff
[ 91.290041][ T6038] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd1a8feb1a8
[ 91.290065][ T6038] R13: 00007fd1a8feb180 R14: 0000000000000009 R15: 0000000000000000
[ 91.290099][ T6038]
[ 91.290112][ T6038]
[ 91.552095][ T6038] Allocated by task 5842:
[ 91.556440][ T6038] kasan_save_stack+0x33/0x60
[ 91.561173][ T6038] kasan_save_track+0x14/0x30
[ 91.565907][ T6038] __kasan_kmalloc+0xaa/0xb0
[ 91.570547][ T6038] binderfs_binder_device_create.isra.0+0x17a/0xb70
[ 91.577189][ T6038] binderfs_fill_super+0x8d6/0x1360
[ 91.582526][ T6038] get_tree_nodev+0xdd/0x190
[ 91.587163][ T6038] vfs_get_tree+0x8e/0x340
[ 91.591615][ T6038] path_mount+0x14e6/0x1f10
[ 91.596172][ T6038] __x64_sys_mount+0x28f/0x310
[ 91.601128][ T6038] do_syscall_64+0xcd/0x250
[ 91.605674][ T6038] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 91.611617][ T6038]
[ 91.613958][ T6038] Freed by task 5842:
[ 91.617952][ T6038] kasan_save_stack+0x33/0x60
[ 91.622681][ T6038] kasan_save_track+0x14/0x30
[ 91.627499][ T6038] kasan_save_free_info+0x3b/0x60
[ 91.632567][ T6038] __kasan_slab_free+0x51/0x70
[ 91.637384][ T6038] kfree+0x2c4/0x4d0
[ 91.641410][ T6038] binderfs_evict_inode+0x1e0/0x250
[ 91.646744][ T6038] evict+0x40c/0x960
[ 91.650672][ T6038] iput+0x52a/0x890
[ 91.654509][ T6038] dentry_unlink_inode+0x29c/0x480
[ 91.659647][ T6038] __dentry_kill+0x1d0/0x600
[ 91.664442][ T6038] shrink_dentry_list+0x140/0x5d0
[ 91.669502][ T6038] shrink_dcache_parent+0xe2/0x530
[ 91.674653][ T6038] shrink_dcache_for_umount+0xa1/0x3e0
[ 91.680151][ T6038] generic_shutdown_super+0x6c/0x390
[ 91.685473][ T6038] kill_litter_super+0x70/0xa0
[ 91.690271][ T6038] binderfs_kill_super+0x3b/0xa0
[ 91.695251][ T6038] deactivate_locked_super+0xc1/0x1a0
[ 91.700658][ T6038] deactivate_super+0xde/0x100
[ 91.705456][ T6038] cleanup_mnt+0x222/0x450
[ 91.709910][ T6038] task_work_run+0x151/0x250
[ 91.712053][ T6054] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 91.714523][ T6038] do_exit+0xad8/0x2d70
[ 91.725876][ T6038] do_group_exit+0xd3/0x2a0
[ 91.730412][ T6038] get_signal+0x24ed/0x26c0
[ 91.734965][ T6038] arch_do_signal_or_restart+0x90/0x7e0
[ 91.740550][ T6038] syscall_exit_to_user_mode+0x150/0x2a0
[ 91.746224][ T6038] do_syscall_64+0xda/0x250
[ 91.750773][ T6038] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 91.756713][ T6038]
[ 91.759051][ T6038] The buggy address belongs to the object at ffff88803306a000
[ 91.759051][ T6038] which belongs to the cache kmalloc-512 of size 512
[ 91.773132][ T6038] The buggy address is located 8 bytes inside of
[ 91.773132][ T6038] freed 512-byte region [ffff88803306a000, ffff88803306a200)
[ 91.786770][ T6038]
[ 91.789268][ T6038] The buggy address belongs to the physical page:
[ 91.795676][ T6038] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33068
[ 91.804446][ T6038] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 91.813040][ T6038] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 91.820592][ T6038] page_type: f5(slab)
[ 91.824586][ T6038] raw: 00fff00000000040 ffff88801b041c80 ffffea000083a500 dead000000000002
[ 91.833186][ T6038] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 91.841800][ T6038] head: 00fff00000000040 ffff88801b041c80 ffffea000083a500 dead000000000002
[ 91.850489][ T6038] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 91.859176][ T6038] head: 00fff00000000002 ffffea0000cc1a01 ffffffffffffffff 0000000000000000
[ 91.867863][ T6038] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 91.876542][ T6038] page dumped because: kasan: bad access detected
[ 91.882955][ T6038] page_owner tracks the page as allocated
[ 91.888666][ T6038] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5210, tgid 5210 (udevd), ts 40717206829, free_ts 40699259854
[ 91.909449][ T6038] post_alloc_hook+0x181/0x1b0
[ 91.914250][ T6038] get_page_from_freelist+0xfce/0x2f80
[ 91.919745][ T6038] __alloc_frozen_pages_noprof+0x221/0x2470
[ 91.925675][ T6038] alloc_pages_mpol+0x1fc/0x540
[ 91.930561][ T6038] new_slab+0x23d/0x330
[ 91.934739][ T6038] ___slab_alloc+0xc5d/0x1720
[ 91.939441][ T6038] __slab_alloc.constprop.0+0x56/0xb0
[ 91.944841][ T6038] __kmalloc_cache_noprof+0xfa/0x410
[ 91.950154][ T6038] kernfs_fop_open+0x28b/0xdb0
[ 91.954935][ T6038] do_dentry_open+0x738/0x1c40
[ 91.959728][ T6038] vfs_open+0x82/0x3f0
[ 91.963819][ T6038] path_openat+0x1e88/0x2d80
[ 91.968440][ T6038] do_filp_open+0x20c/0x470
[ 91.972993][ T6038] do_sys_openat2+0x17a/0x1e0
[ 91.977684][ T6038] __x64_sys_openat+0x175/0x210
[ 91.983161][ T6038] do_syscall_64+0xcd/0x250
[ 91.987686][ T6038] page last free pid 5212 tgid 5212 stack trace:
[ 91.994014][ T6038] free_frozen_pages+0x6db/0xfb0
[ 91.998982][ T6038] qlist_free_all+0x4e/0x120
[ 92.003623][ T6038] kasan_quarantine_reduce+0x195/0x1e0
[ 92.009112][ T6038] __kasan_slab_alloc+0x69/0x90
[ 92.014003][ T6038] __kmalloc_node_noprof+0x1d0/0x510
[ 92.019324][ T6038] __kvmalloc_node_noprof+0xad/0x1a0
[ 92.024726][ T6038] seq_read_iter+0x82a/0x12b0
[ 92.029448][ T6038] kernfs_fop_read_iter+0x414/0x580
[ 92.034675][ T6038] vfs_read+0x889/0xbf0
[ 92.038858][ T6038] ksys_read+0x12b/0x250
[ 92.043126][ T6038] do_syscall_64+0xcd/0x250
[ 92.047652][ T6038] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 92.053662][ T6038]
[ 92.055987][ T6038] Memory state around the buggy address:
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 92.061704][ T6038] ffff888033069f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 92.069773][ T6038] ffff888033069f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 92.077843][ T6038] >ffff88803306a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 92.085926][ T6038] ^
[ 92.090342][ T6038] ffff88803306a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 92.098412][ T6038] ffff88803306a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 92.106477][ T6038] ==================================================================
[ 92.136396][ T6038] Kernel panic - not syncing: kasan.fault=panic_on_write set ...
[ 92.144175][ T6038] CPU: 0 UID: 0 PID: 6038 Comm: syz-executor Not tainted 6.13.0-syzkaller-09338-g05dbaf8dd8bf #0
[ 92.154714][ T6038] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 92.164876][ T6038] Call Trace:
[ 92.168168][ T6038]
[ 92.171115][ T6038] dump_stack_lvl+0x3d/0x1f0
[ 92.175745][ T6038] panic+0x71d/0x800
[ 92.179673][ T6038] ? __pfx_panic+0x10/0x10
[ 92.184123][ T6038] ? lockdep_hardirqs_on+0x7c/0x110
[ 92.189354][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 92.195044][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 92.200738][ T6038] ? preempt_schedule_common+0x44/0xc0
[ 92.206240][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 92.211934][ T6038] ? preempt_schedule_thunk+0x1a/0x30
[ 92.217355][ T6038] end_report+0x169/0x180
[ 92.221742][ T6038] kasan_report+0xe9/0x110
[ 92.226226][ T6038] ? binder_add_device+0xa4/0xb0
[ 92.231213][ T6038] ? binder_add_device+0xa4/0xb0
[ 92.236195][ T6038] binder_add_device+0xa4/0xb0
[ 92.241000][ T6038] binderfs_binder_device_create.isra.0+0x95f/0xb70
[ 92.247640][ T6038] binderfs_fill_super+0x8d6/0x1360
[ 92.252889][ T6038] ? __pfx_binderfs_fill_super+0x10/0x10
[ 92.258572][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 92.264281][ T6038] ? shrinker_register+0x1a8/0x260
[ 92.269433][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 92.275119][ T6038] ? sget_fc+0x808/0xc20
[ 92.279398][ T6038] ? apparmor_capable+0x114/0x1d0
[ 92.284477][ T6038] ? __pfx_set_anon_super_fc+0x10/0x10
[ 92.289991][ T6038] ? __pfx_binderfs_fill_super+0x10/0x10
[ 92.295673][ T6038] get_tree_nodev+0xdd/0x190
[ 92.300308][ T6038] vfs_get_tree+0x8e/0x340
[ 92.304757][ T6038] path_mount+0x14e6/0x1f10
[ 92.309329][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 92.315023][ T6038] ? kmem_cache_free+0x2e2/0x4d0
[ 92.320016][ T6038] ? __pfx_path_mount+0x10/0x10
[ 92.324925][ T6038] ? srso_alias_return_thunk+0x5/0xfbef5
[ 92.330616][ T6038] ? putname+0x13c/0x180
[ 92.334886][ T6038] __x64_sys_mount+0x28f/0x310
[ 92.339700][ T6038] ? __pfx___x64_sys_mount+0x10/0x10
[ 92.345045][ T6038] do_syscall_64+0xcd/0x250
[ 92.349682][ T6038] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 92.355626][ T6038] RIP: 0033:0x7fd1a8f8e54a
[ 92.360059][ T6038] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 92.379694][ T6038] RSP: 002b:00007fff70aab0b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 92.388139][ T6038] RAX: ffffffffffffffda RBX: 00007fd1a900e663 RCX: 00007fd1a8f8e54a
[ 92.396132][ T6038] RDX: 00007fd1a901dda7 RSI: 00007fd1a900e663 RDI: 00007fd1a901dda7
[ 92.404126][ T6038] RBP: 00007fd1a900e8ac R08: 0000000000000000 R09: 00000000000001ff
[ 92.412327][ T6038] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd1a8feb1a8
[ 92.420322][ T6038] R13: 00007fd1a8feb180 R14: 0000000000000009 R15: 0000000000000000
[ 92.428332][ T6038]
[ 92.431587][ T6038] Kernel Offset: disabled
[ 92.435910][ T6038] Rebooting in 86400 seconds..