last executing test programs: 1.14927496s ago: executing program 0 (id=283): syz_init_net_socket$rose(0xb, 0x5, 0x0) 889.285075ms ago: executing program 1 (id=286): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/qat_adf_ctl', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/qat_adf_ctl', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/qat_adf_ctl', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/qat_adf_ctl', 0x800, 0x0) 700.854467ms ago: executing program 1 (id=287): pwrite64(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0) 700.386657ms ago: executing program 0 (id=288): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm_plock', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm_plock', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm_plock', 0x800, 0x0) 590.276894ms ago: executing program 1 (id=289): openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/checkreqprot', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/selinux/checkreqprot', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/checkreqprot', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/checkreqprot', 0x800, 0x0) 589.976914ms ago: executing program 0 (id=290): openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/member', 0x2, 0x0) 469.327872ms ago: executing program 1 (id=291): timer_settime(0x0, 0x0, &(0x7f0000000000), 0x0) 389.061906ms ago: executing program 0 (id=292): dup(0xffffffffffffffff) 388.636206ms ago: executing program 1 (id=293): socket$nl_rdma(0x10, 0x3, 0x14) 267.859044ms ago: executing program 1 (id=294): syz_open_dev$audion(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$audion(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$audion(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$audion(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$audion(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$audion(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$audion(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$audion(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$audion(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$audion(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$audion(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$audion(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$audion(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$audion(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$audion(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$audion(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$audion(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$audion(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$audion(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$audion(&(0x7f0000000500), 0x4, 0x800) 249.237155ms ago: executing program 0 (id=295): syz_open_dev$ircomm(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$ircomm(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$ircomm(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$ircomm(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$ircomm(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$ircomm(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$ircomm(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$ircomm(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$ircomm(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$ircomm(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$ircomm(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$ircomm(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$ircomm(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$ircomm(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$ircomm(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$ircomm(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$ircomm(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$ircomm(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$ircomm(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$ircomm(&(0x7f0000000500), 0x4, 0x800) 0s ago: executing program 0 (id=296): process_madvise(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:38543' (ED25519) to the list of known hosts. [ 131.837582][ T30] audit: type=1400 audit(131.480:58): avc: denied { name_bind } for pid=3296 comm="sshd" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 132.194169][ T30] audit: type=1400 audit(131.840:59): avc: denied { execute } for pid=3298 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 132.199042][ T30] audit: type=1400 audit(131.840:60): avc: denied { execute_no_trans } for pid=3298 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 135.806995][ T30] audit: type=1400 audit(135.450:61): avc: denied { mounton } for pid=3298 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1736 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 135.816295][ T30] audit: type=1400 audit(135.460:62): avc: denied { mount } for pid=3298 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 135.877949][ T3298] cgroup: Unknown subsys name 'net' [ 135.913099][ T30] audit: type=1400 audit(135.550:63): avc: denied { unmount } for pid=3298 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 136.293598][ T3298] cgroup: Unknown subsys name 'cpuset' [ 136.335575][ T3298] cgroup: Unknown subsys name 'rlimit' [ 136.656339][ T30] audit: type=1400 audit(136.300:64): avc: denied { setattr } for pid=3298 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 136.659346][ T30] audit: type=1400 audit(136.300:65): avc: denied { create } for pid=3298 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 136.663335][ T30] audit: type=1400 audit(136.300:66): avc: denied { write } for pid=3298 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 136.666427][ T30] audit: type=1400 audit(136.310:67): avc: denied { module_request } for pid=3298 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 137.077063][ T3301] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 137.080713][ T30] kauditd_printk_skb: 3 callbacks suppressed [ 137.081013][ T30] audit: type=1400 audit(136.720:71): avc: denied { relabelto } for pid=3301 comm="mkswap" name="swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 137.090197][ T30] audit: type=1400 audit(136.730:72): avc: denied { write } for pid=3301 comm="mkswap" path="/swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 137.156671][ T30] audit: type=1400 audit(136.800:73): avc: denied { read } for pid=3298 comm="syz-executor" name="swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 137.159806][ T30] audit: type=1400 audit(136.800:74): avc: denied { open } for pid=3298 comm="syz-executor" path="/swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 137.179773][ T3298] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 147.024131][ T30] audit: type=1400 audit(146.660:75): avc: denied { execmem } for pid=3302 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 147.101398][ T30] audit: type=1400 audit(146.740:76): avc: denied { read } for pid=3304 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 147.107420][ T30] audit: type=1400 audit(146.750:77): avc: denied { open } for pid=3304 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 147.120572][ T30] audit: type=1400 audit(146.760:78): avc: denied { mounton } for pid=3304 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 147.831671][ T30] audit: type=1400 audit(147.470:79): avc: denied { mount } for pid=3305 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 147.841426][ T30] audit: type=1400 audit(147.480:80): avc: denied { mounton } for pid=3305 comm="syz-executor" path="/syzkaller.EXQoLa/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 147.860009][ T30] audit: type=1400 audit(147.500:81): avc: denied { mount } for pid=3305 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 147.884097][ T30] audit: type=1400 audit(147.530:82): avc: denied { mounton } for pid=3304 comm="syz-executor" path="/syzkaller.6EaNXV/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 147.908947][ T30] audit: type=1400 audit(147.550:83): avc: denied { mounton } for pid=3304 comm="syz-executor" path="/syzkaller.6EaNXV/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2501 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 147.927383][ T30] audit: type=1400 audit(147.570:84): avc: denied { unmount } for pid=3304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 152.226903][ T30] kauditd_printk_skb: 19 callbacks suppressed [ 152.227434][ T30] audit: type=1400 audit(151.860:104): avc: denied { read write } for pid=3353 comm="syz.1.45" name="vhost-net" dev="devtmpfs" ino=713 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 152.230107][ T30] audit: type=1400 audit(151.870:105): avc: denied { open } for pid=3353 comm="syz.1.45" path="/dev/vhost-net" dev="devtmpfs" ino=713 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 152.405128][ T30] audit: type=1400 audit(152.050:106): avc: denied { create } for pid=3354 comm="syz.0.46" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=sctp_socket permissive=1 [ 154.223069][ T30] audit: type=1400 audit(153.860:107): avc: denied { write } for pid=3370 comm="syz.1.61" name="random" dev="devtmpfs" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 154.821156][ T30] audit: type=1400 audit(154.460:108): avc: denied { create } for pid=3374 comm="syz.1.65" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=caif_socket permissive=1 [ 155.311923][ T30] audit: type=1400 audit(154.950:109): avc: denied { create } for pid=3380 comm="syz.0.70" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=kcm_socket permissive=1 [ 155.810293][ T30] audit: type=1400 audit(155.450:110): avc: denied { kexec_image_load } for pid=3385 comm="syz.0.75" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=system permissive=1 [ 157.857325][ T30] audit: type=1400 audit(157.500:111): avc: denied { create } for pid=3414 comm="syz.0.101" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=xdp_socket permissive=1 [ 158.616072][ T30] audit: type=1400 audit(158.260:112): avc: denied { create } for pid=3423 comm="syz.0.109" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=alg_socket permissive=1 [ 159.153059][ T30] audit: type=1400 audit(158.790:113): avc: denied { create } for pid=3429 comm="syz.1.115" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 163.639725][ T30] audit: type=1400 audit(163.280:114): avc: denied { create } for pid=3475 comm="syz.0.160" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 163.754411][ T30] audit: type=1400 audit(163.380:115): avc: denied { create } for pid=3477 comm="syz.0.162" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_rdma_socket permissive=1 [ 165.726260][ T30] audit: type=1400 audit(165.370:116): avc: denied { create } for pid=3499 comm="syz.0.185" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=phonet_socket permissive=1 [ 166.283639][ T30] audit: type=1400 audit(165.920:117): avc: denied { read } for pid=3506 comm="syz.1.189" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 166.316710][ T30] audit: type=1400 audit(165.960:118): avc: denied { open } for pid=3506 comm="syz.1.189" path="/dev/autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 166.321166][ T30] audit: type=1400 audit(165.960:119): avc: denied { write } for pid=3506 comm="syz.1.189" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 166.675114][ T30] audit: type=1400 audit(166.320:120): avc: denied { create } for pid=3508 comm="syz.0.191" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=nfc_socket permissive=1 [ 166.681604][ T30] audit: type=1400 audit(166.320:121): avc: denied { write } for pid=3509 comm="syz.1.192" name="urandom" dev="devtmpfs" ino=9 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file permissive=1 [ 166.997347][ T30] audit: type=1400 audit(166.630:122): avc: denied { read } for pid=3513 comm="syz.0.196" name="rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 166.997913][ T30] audit: type=1400 audit(166.630:123): avc: denied { open } for pid=3513 comm="syz.0.196" path="/dev/rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 168.139531][ T3529] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 170.888917][ T30] kauditd_printk_skb: 6 callbacks suppressed [ 170.889461][ T30] audit: type=1400 audit(170.530:130): avc: denied { create } for pid=3560 comm="syz.0.241" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=icmp_socket permissive=1 [ 172.162195][ T30] audit: type=1400 audit(171.800:131): avc: denied { sys_module } for pid=3577 comm="syz.1.257" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 172.475013][ T30] audit: type=1400 audit(172.120:132): avc: denied { create } for pid=3581 comm="syz.0.261" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=x25_socket permissive=1 [ 173.250003][ T30] audit: type=1400 audit(172.890:133): avc: denied { create } for pid=3590 comm="syz.1.268" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=vsock_socket permissive=1 [ 173.643800][ T30] audit: type=1400 audit(173.290:134): avc: denied { create } for pid=3595 comm="syz.1.273" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 173.980204][ T30] audit: type=1400 audit(173.610:135): avc: denied { create } for pid=3600 comm="syz.1.276" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=isdn_socket permissive=1 [ 174.490905][ T30] audit: type=1400 audit(174.130:136): avc: denied { create } for pid=3608 comm="syz.1.284" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=smc_socket permissive=1 [ 174.576431][ T30] audit: type=1400 audit(174.220:137): avc: denied { create } for pid=3607 comm="syz.0.283" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rose_socket permissive=1 [ 176.305676][ T3305] ================================================================== [ 176.306430][ T3305] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 176.307258][ T3305] Write of size 8 at addr ffff00001798c408 by task syz-executor/3305 [ 176.307356][ T3305] [ 176.308091][ T3305] CPU: 1 UID: 0 PID: 3305 Comm: syz-executor Not tainted 6.15.0-rc4-syzkaller-00042-gb6ea1680d0ac #0 PREEMPT [ 176.308199][ T3305] Hardware name: linux,dummy-virt (DT) [ 176.308495][ T3305] Call trace: [ 176.308663][ T3305] show_stack+0x18/0x24 (C) [ 176.308810][ T3305] dump_stack_lvl+0xa4/0xf4 [ 176.308877][ T3305] print_report+0xf4/0x60c [ 176.308926][ T3305] kasan_report+0xc8/0x108 [ 176.308968][ T3305] __asan_report_store8_noabort+0x20/0x2c [ 176.309006][ T3305] binderfs_evict_inode+0x2ac/0x2b4 [ 176.309047][ T3305] evict+0x2c0/0x67c [ 176.309086][ T3305] iput+0x3b0/0x6b4 [ 176.309122][ T3305] dentry_unlink_inode+0x208/0x46c [ 176.309170][ T3305] __dentry_kill+0x150/0x52c [ 176.309211][ T3305] shrink_dentry_list+0x114/0x3a4 [ 176.309252][ T3305] shrink_dcache_parent+0x158/0x354 [ 176.309293][ T3305] shrink_dcache_for_umount+0x88/0x304 [ 176.309335][ T3305] generic_shutdown_super+0x60/0x2e8 [ 176.309378][ T3305] kill_litter_super+0x68/0xa4 [ 176.309422][ T3305] binderfs_kill_super+0x38/0x88 [ 176.309462][ T3305] deactivate_locked_super+0x98/0x17c [ 176.309505][ T3305] deactivate_super+0xb0/0xd4 [ 176.309547][ T3305] cleanup_mnt+0x198/0x424 [ 176.309588][ T3305] __cleanup_mnt+0x14/0x20 [ 176.309628][ T3305] task_work_run+0x128/0x210 [ 176.309668][ T3305] do_exit+0x7ac/0x1f68 [ 176.309708][ T3305] do_group_exit+0xa4/0x208 [ 176.309749][ T3305] get_signal+0x1b00/0x1ba8 [ 176.309792][ T3305] do_signal+0x1f4/0x620 [ 176.309829][ T3305] do_notify_resume+0x18c/0x258 [ 176.309871][ T3305] el0_svc+0x100/0x180 [ 176.309915][ T3305] el0t_64_sync_handler+0x10c/0x138 [ 176.309953][ T3305] el0t_64_sync+0x198/0x19c [ 176.310155][ T3305] [ 176.311033][ T3305] Allocated by task 3304: [ 176.311288][ T3305] kasan_save_stack+0x3c/0x64 [ 176.311405][ T3305] kasan_save_track+0x20/0x3c [ 176.311493][ T3305] kasan_save_alloc_info+0x40/0x54 [ 176.311572][ T3305] __kasan_kmalloc+0xb8/0xbc [ 176.311653][ T3305] __kmalloc_cache_noprof+0x1b0/0x3cc [ 176.311737][ T3305] binderfs_binder_device_create.isra.0+0x140/0x9a0 [ 176.311820][ T3305] binderfs_fill_super+0x69c/0xed4 [ 176.311902][ T3305] get_tree_nodev+0xac/0x148 [ 176.311979][ T3305] binderfs_fs_context_get_tree+0x18/0x24 [ 176.312061][ T3305] vfs_get_tree+0x74/0x280 [ 176.312142][ T3305] path_mount+0xe54/0x1808 [ 176.312237][ T3305] __arm64_sys_mount+0x304/0x3dc [ 176.312321][ T3305] invoke_syscall+0x6c/0x258 [ 176.312464][ T3305] el0_svc_common.constprop.0+0xac/0x230 [ 176.312548][ T3305] do_el0_svc+0x40/0x58 [ 176.312626][ T3305] el0_svc+0x50/0x180 [ 176.312708][ T3305] el0t_64_sync_handler+0x10c/0x138 [ 176.312786][ T3305] el0t_64_sync+0x198/0x19c [ 176.312896][ T3305] [ 176.312982][ T3305] Freed by task 3304: [ 176.313073][ T3305] kasan_save_stack+0x3c/0x64 [ 176.313173][ T3305] kasan_save_track+0x20/0x3c [ 176.313258][ T3305] kasan_save_free_info+0x4c/0x74 [ 176.313336][ T3305] __kasan_slab_free+0x50/0x6c [ 176.313418][ T3305] kfree+0x1bc/0x444 [ 176.313533][ T3305] binderfs_evict_inode+0x238/0x2b4 [ 176.313641][ T3305] evict+0x2c0/0x67c [ 176.313718][ T3305] iput+0x3b0/0x6b4 [ 176.313795][ T3305] dentry_unlink_inode+0x208/0x46c [ 176.313876][ T3305] __dentry_kill+0x150/0x52c [ 176.313957][ T3305] shrink_dentry_list+0x114/0x3a4 [ 176.314040][ T3305] shrink_dcache_parent+0x158/0x354 [ 176.314130][ T3305] shrink_dcache_for_umount+0x88/0x304 [ 176.314224][ T3305] generic_shutdown_super+0x60/0x2e8 [ 176.314327][ T3305] kill_litter_super+0x68/0xa4 [ 176.314411][ T3305] binderfs_kill_super+0x38/0x88 [ 176.314492][ T3305] deactivate_locked_super+0x98/0x17c [ 176.314576][ T3305] deactivate_super+0xb0/0xd4 [ 176.314658][ T3305] cleanup_mnt+0x198/0x424 [ 176.314739][ T3305] __cleanup_mnt+0x14/0x20 [ 176.314820][ T3305] task_work_run+0x128/0x210 [ 176.314897][ T3305] do_exit+0x7ac/0x1f68 [ 176.314976][ T3305] do_group_exit+0xa4/0x208 [ 176.315056][ T3305] get_signal+0x1b00/0x1ba8 [ 176.315136][ T3305] do_signal+0x160/0x620 [ 176.315221][ T3305] do_notify_resume+0x18c/0x258 [ 176.315303][ T3305] el0_svc+0x100/0x180 [ 176.315386][ T3305] el0t_64_sync_handler+0x10c/0x138 [ 176.315464][ T3305] el0t_64_sync+0x198/0x19c [ 176.315556][ T3305] [ 176.315678][ T3305] The buggy address belongs to the object at ffff00001798c400 SYZFAIL: failed to recv rpc [ 176.315678][ T3305] which belongs to the cache kmalloc-512 of size 512 [ 176.315826][ T3305] The buggy address is located 8 bytes inside of [ 176.315826][ T3305] freed 512-byte region [ffff00001798c400, ffff00001798c600) [ 176.315929][ T3305] [ 176.316053][ T3305] The buggy address belongs to the physical page: [ 176.316475][ T3305] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff00001798c800 pfn:0x5798c [ 176.317009][ T3305] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 176.317171][ T3305] flags: 0x1ffc00000000240(workingset|head|node=0|zone=0|lastcpupid=0x7ff) [ 176.317627][ T3305] page_type: f5(slab) [ 176.318010][ T3305] raw: 01ffc00000000240 ffff00000dc01c80 fffffdffc05ab210 fffffdffc040fb10 [ 176.318115][ T3305] raw: ffff00001798c800 000000000010000c 00000000f5000000 0000000000000000 [ 176.318291][ T3305] head: 01ffc00000000240 ffff00000dc01c80 fffffdffc05ab210 fffffdffc040fb10 [ 176.318379][ T3305] head: ffff00001798c800 000000000010000c 00000000f5000000 0000000000000000 [ 176.318458][ T3305] head: 01ffc00000000002 fffffdffc05e6301 00000000ffffffff 00000000ffffffff [ 176.318535][ T3305] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 176.318653][ T3305] page dumped because: kasan: bad access detected [ 176.318740][ T3305] [ 176.318814][ T3305] Memory state around the buggy address: [ 176.319152][ T3305] ffff00001798c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 176.319276][ T3305] ffff00001798c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 176.319375][ T3305] >ffff00001798c400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 176.319474][ T3305] ^ [ 176.319609][ T3305] ffff00001798c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 176.319686][ T3305] ffff00001798c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 176.319823][ T3305] ================================================================== [ 176.369712][ T3305] Disabling lock debugging due to kernel taint fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) VM DIAGNOSIS: 05:44:20 Registers: info registers vcpu 0 CPU#0 PC=ffff80008545f1dc X00=ffff80008545f1d8 X01=0000000000000000 X02=0000000000000000 X03=1fffe00001c50791 X04=1fffe00001c50791 X05=ffff80008d577890 X06=ffff700011aaef12 X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff700011aaef12 X11=1ffff00011aaef12 X12=ffff700011aaef13 X13=0000000000000000 X14=00004c4b40000000 X15=0000000000000000 X16=ffff800080000000 X17=ffff7fffe3043000 X18=0000000000000000 X19=ffff8000873008b0 X20=ffff00000e283c80 X21=0000000000000003 X22=0000000000000028 X23=dfff800000000000 X24=ffff800087300880 X25=0000000000000000 X26=0000000000000004 X27=ffff8000873008b0 X28=ffff8000872c5dc0 X29=ffff80008d577830 X30=ffff80008042849c SP=ffff80008d577830 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000f00000:0000000000f00000 Q01=373036333d646970:2020000a3d3d3d3d Q02=3338322e302e7a79:73223d6d6d6f6320 Q03=000f0000f000000f:00000000000f0000 Q04=f00ff00ff00ff00f:f00ff00ff00ff00f Q05=0f00f00f00000f00:0f00f00f00000f00 Q06=0000000000000300:0000000000000300 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800081b67e10 X00=0000000000000002 X01=0000000000000000 X02=0000000000000002 X03=dfff800000000000 X04=0000000000000018 X05=ffff80008d9479e0 X06=ffff700011b28f3c X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff700011b28f3c X11=1ffff00011b28f3c X12=ffff700011b28f3d X13=0000000000008000 X14=0000000000000000 X15=0000000000000000 X16=0000000000000000 X17=0000000000000000 X18=00000000000005c6 X19=ffff00000ee0c080 X20=ffff80008d43b018 X21=ffff800087a92820 X22=0000000000000033 X23=dfff800000000000 X24=ffff00000f71c008 X25=0000000000000007 X26=0000000000000f01 X27=1fffe00001dc185a X28=ffff00000ee0c2d0 X29=ffff80008d947990 X30=ffff800081b6809c SP=ffff80008d947990 PSTATE=800000c5 N--- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=000000010000000e:000000000000000a Q02=0000000300000009:0000000200000016 Q03=0000ffffe11bcf50:0000ffffe11bccb8 Q04=0000000000000000:0000000000000000 Q05=0000ffffe11bcc10:0000000000000000 Q06=cccccccc00000000:cccccccc00000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:000001f40000000a Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffe11bd020:0000ffffe11bd020 Q17=ffffff80ffffffd0:0000ffffe11bcff0 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000