last executing test programs:

268.604838ms ago: executing program 2 (id=308):
faccessat(0xffffffffffffffff, &(0x7f0000000000), 0x0)

223.796307ms ago: executing program 0 (id=310):
eventfd(0x0)

223.639705ms ago: executing program 2 (id=313):
userfaultfd(0x0)

216.313478ms ago: executing program 1 (id=314):
msgrcv(0x0, &(0x7f0000000000), 0x0, 0x0, 0x0)

208.545161ms ago: executing program 0 (id=315):
iopl(0x0)

139.876574ms ago: executing program 0 (id=317):
ioprio_get$auto(0x0, 0x0)

139.679048ms ago: executing program 3 (id=318):
sync_file_range(0xffffffffffffffff, 0x0, 0x0, 0x0)

139.511281ms ago: executing program 1 (id=319):
epoll_pwait(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, &(0x7f0000000000), 0x0)

139.452774ms ago: executing program 2 (id=320):
sched_setscheduler(0x0, 0x0, &(0x7f0000000000))

139.352272ms ago: executing program 1 (id=321):
clock_settime(0x0, &(0x7f0000000000))

139.252926ms ago: executing program 3 (id=322):
rt_sigqueueinfo(0x0, 0x0, &(0x7f0000000000))

139.206175ms ago: executing program 0 (id=323):
name_to_handle_at(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0)

138.243526ms ago: executing program 2 (id=324):
getpid()

123.920412ms ago: executing program 1 (id=325):
sched_getaffinity(0x0, 0x0, &(0x7f0000000000))

117.883108ms ago: executing program 3 (id=326):
inotify_rm_watch(0xffffffffffffffff, 0x0)

68.013389ms ago: executing program 0 (id=327):
access$auto(&(0x7f0000000000), 0x0)

67.756006ms ago: executing program 2 (id=328):
mbind(0x0, 0x0, 0x0, &(0x7f0000000000), 0x0, 0x0)

67.577876ms ago: executing program 3 (id=329):
fanotify_mark(0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, &(0x7f0000000000))

67.464587ms ago: executing program 1 (id=330):
io_pgetevents(0x0, 0x0, 0x0, &(0x7f0000000000), 0x0, 0x0)

67.380973ms ago: executing program 2 (id=331):
lgetxattr(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0)

60.094035ms ago: executing program 3 (id=332):
connect(0xffffffffffffffff, &(0x7f0000000000), 0x0)

56.998311ms ago: executing program 0 (id=333):
sendto(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0, 0x0)

48.524959ms ago: executing program 1 (id=334):
creat(&(0x7f0000000000), 0x0)

0s ago: executing program 3 (id=335):
set_tid_address(&(0x7f0000000000))

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.10.21' (ED25519) to the list of known hosts.
[   61.371872][ T5818] cgroup: Unknown subsys name 'net'
[   61.481536][ T5818] cgroup: Unknown subsys name 'cpuset'
[   61.489594][ T5818] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   62.827041][ T5818] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   65.410928][ T5987] mmap: syz.3.150 (5987) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.
[   67.680689][ T6184] ==================================================================
[   67.688805][ T6184] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[   67.696643][ T6184] Write of size 8 at addr ffff888145fad808 by task syz-executor/6184
[   67.705195][ T6184] 
[   67.707816][ T6184] CPU: 0 UID: 0 PID: 6184 Comm: syz-executor Not tainted 6.13.0-syzkaller-09196-gcd45f362fc1f #0
[   67.707843][ T6184] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   67.707859][ T6184] Call Trace:
[   67.707866][ T6184]  <TASK>
[   67.707878][ T6184]  dump_stack_lvl+0x116/0x1f0
[   67.707909][ T6184]  print_report+0xc3/0x620
[   67.707934][ T6184]  ? __virt_addr_valid+0x5e/0x590
[   67.707955][ T6184]  ? __phys_addr+0xc6/0x150
[   67.707976][ T6184]  kasan_report+0xd9/0x110
[   67.708000][ T6184]  ? binder_add_device+0xa4/0xb0
[   67.708022][ T6184]  ? binder_add_device+0xa4/0xb0
[   67.708046][ T6184]  binder_add_device+0xa4/0xb0
[   67.708066][ T6184]  binderfs_binder_device_create.isra.0+0x8ec/0xad0
[   67.708097][ T6184]  binderfs_fill_super+0x848/0x1240
[   67.708125][ T6184]  ? __pfx_binderfs_fill_super+0x10/0x10
[   67.708161][ T6184]  ? shrinker_register+0x1a8/0x260
[   67.708193][ T6184]  ? sget_fc+0x488/0xb90
[   67.708213][ T6184]  ? apparmor_capable+0x114/0x1d0
[   67.708242][ T6184]  ? __pfx_set_anon_super_fc+0x10/0x10
[   67.708273][ T6184]  ? __pfx_binderfs_fill_super+0x10/0x10
[   67.708296][ T6184]  get_tree_nodev+0xda/0x190
[   67.708318][ T6184]  vfs_get_tree+0x8b/0x340
[   67.708346][ T6184]  path_mount+0x6e1/0x1f00
[   67.708369][ T6184]  ? kmem_cache_free+0x2e2/0x4d0
[   67.708387][ T6184]  ? __pfx_path_mount+0x10/0x10
[   67.708408][ T6184]  ? putname+0x13c/0x180
[   67.708431][ T6184]  __x64_sys_mount+0x28f/0x310
[   67.708450][ T6184]  ? __pfx___x64_sys_mount+0x10/0x10
[   67.708472][ T6184]  ? do_user_addr_fault+0x83d/0x13f0
[   67.708499][ T6184]  do_syscall_64+0xcd/0x250
[   67.708520][ T6184]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   67.708547][ T6184] RIP: 0033:0x7fcb1458e54a
[   67.708577][ T6184] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   67.708597][ T6184] RSP: 002b:00007ffc400b7a78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   67.708617][ T6184] RAX: ffffffffffffffda RBX: 00007fcb1460e663 RCX: 00007fcb1458e54a
[   67.708631][ T6184] RDX: 00007fcb1461dda7 RSI: 00007fcb1460e663 RDI: 00007fcb1461dda7
[   67.708646][ T6184] RBP: 00007ffc400b7af0 R08: 0000000000000000 R09: 0000000000000000
[   67.708659][ T6184] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc400b7af0
[   67.708671][ T6184] R13: 00007ffc400b7af8 R14: 0000000000000009 R15: 0000000000000000
[   67.708691][ T6184]  </TASK>
[   67.708698][ T6184] 
[   67.951695][ T6184] Allocated by task 5832:
[   67.956021][ T6184]  kasan_save_stack+0x33/0x60
[   67.960705][ T6184]  kasan_save_track+0x14/0x30
[   67.965399][ T6184]  __kasan_kmalloc+0xaa/0xb0
[   67.970003][ T6184]  binderfs_binder_device_create.isra.0+0x17a/0xad0
[   67.976596][ T6184]  binderfs_fill_super+0x848/0x1240
[   67.981795][ T6184]  get_tree_nodev+0xda/0x190
[   67.986484][ T6184]  vfs_get_tree+0x8b/0x340
[   67.990994][ T6184]  path_mount+0x6e1/0x1f00
[   67.995429][ T6184]  __x64_sys_mount+0x28f/0x310
[   68.000189][ T6184]  do_syscall_64+0xcd/0x250
[   68.004687][ T6184]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.010600][ T6184] 
[   68.012917][ T6184] Freed by task 5842:
[   68.016886][ T6184]  kasan_save_stack+0x33/0x60
[   68.021563][ T6184]  kasan_save_track+0x14/0x30
[   68.026289][ T6184]  kasan_save_free_info+0x3b/0x60
[   68.031431][ T6184]  __kasan_slab_free+0x51/0x70
[   68.036303][ T6184]  kfree+0x2c4/0x4d0
[   68.040378][ T6184]  binderfs_evict_inode+0x1e0/0x250
[   68.045573][ T6184]  evict+0x409/0x960
[   68.049472][ T6184]  iput+0x52a/0x890
[   68.053282][ T6184]  dentry_unlink_inode+0x29c/0x480
[   68.058396][ T6184]  __dentry_kill+0x1d0/0x600
[   68.063072][ T6184]  shrink_dentry_list+0x140/0x5d0
[   68.068103][ T6184]  shrink_dcache_parent+0xe2/0x530
[   68.073244][ T6184]  shrink_dcache_for_umount+0xa1/0x3e0
[   68.078797][ T6184]  generic_shutdown_super+0x6c/0x390
[   68.084202][ T6184]  kill_litter_super+0x70/0xa0
[   68.089234][ T6184]  binderfs_kill_super+0x3b/0xa0
[   68.094901][ T6184]  deactivate_locked_super+0xbe/0x1a0
[   68.100275][ T6184]  deactivate_super+0xde/0x100
[   68.105128][ T6184]  cleanup_mnt+0x222/0x450
[   68.109537][ T6184]  task_work_run+0x14e/0x250
[   68.114209][ T6184]  do_exit+0xad8/0x2d70
[   68.118378][ T6184]  do_group_exit+0xd3/0x2a0
[   68.122877][ T6184]  get_signal+0x2576/0x2610
[   68.127388][ T6184]  arch_do_signal_or_restart+0x90/0x7e0
[   68.135906][ T6184]  irqentry_exit_to_user_mode+0x13f/0x280
[   68.141805][ T6184]  asm_exc_page_fault+0x26/0x30
[   68.146709][ T6184] 
[   68.149035][ T6184] The buggy address belongs to the object at ffff888145fad800
[   68.149035][ T6184]  which belongs to the cache kmalloc-512 of size 512
[   68.163491][ T6184] The buggy address is located 8 bytes inside of
[   68.163491][ T6184]  freed 512-byte region [ffff888145fad800, ffff888145fada00)
[   68.177121][ T6184] 
[   68.179441][ T6184] The buggy address belongs to the physical page:
[   68.185853][ T6184] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145fac
[   68.194782][ T6184] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   68.203285][ T6184] flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
[   68.210920][ T6184] page_type: f5(slab)
[   68.214906][ T6184] raw: 057ff00000000040 ffff88801b041c80 ffffea0005390a00 dead000000000002
[   68.223607][ T6184] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   68.232282][ T6184] head: 057ff00000000040 ffff88801b041c80 ffffea0005390a00 dead000000000002
[   68.240964][ T6184] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   68.249636][ T6184] head: 057ff00000000002 ffffea000517eb01 ffffffffffffffff 0000000000000000
[   68.258395][ T6184] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   68.267068][ T6184] page dumped because: kasan: bad access detected
[   68.273492][ T6184] page_owner tracks the page as allocated
[   68.279268][ T6184] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 11686784726, free_ts 0
[   68.299108][ T6184]  post_alloc_hook+0x181/0x1b0
[   68.303992][ T6184]  get_page_from_freelist+0xfce/0x2f80
[   68.309711][ T6184]  __alloc_frozen_pages_noprof+0x221/0x2470
[   68.315603][ T6184]  alloc_pages_mpol+0x1fc/0x540
[   68.320565][ T6184]  new_slab+0x23d/0x330
[   68.324714][ T6184]  ___slab_alloc+0xbfa/0x1600
[   68.329383][ T6184]  __slab_alloc.constprop.0+0x56/0xb0
[   68.334750][ T6184]  __kmalloc_cache_noprof+0xf6/0x420
[   68.340033][ T6184]  dev_pm_qos_constraints_allocate+0x87/0x4b0
[   68.346101][ T6184]  __dev_pm_qos_add_request+0x49b/0x5e0
[   68.351648][ T6184]  dev_pm_qos_add_request+0x3a/0x60
[   68.356934][ T6184]  usb_hub_create_port_device+0x45d/0xde0
[   68.362658][ T6184]  hub_probe+0x1e1e/0x3200
[   68.367079][ T6184]  usb_probe_interface+0x300/0x9c0
[   68.372216][ T6184]  really_probe+0x23e/0xa90
[   68.376830][ T6184]  __driver_probe_device+0x1de/0x440
[   68.382397][ T6184] page_owner free stack trace missing
[   68.387759][ T6184] 
[   68.390103][ T6184] Memory state around the buggy address:
[   68.395730][ T6184]  ffff888145fad700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   68.403872][ T6184]  ffff888145fad780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   68.411937][ T6184] >ffff888145fad800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.419988][ T6184]                       ^
[   68.424300][ T6184]  ffff888145fad880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.432591][ T6184]  ffff888145fad900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.440657][ T6184] ==================================================================
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   68.517889][ T6184] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   68.525398][ T6184] CPU: 1 UID: 0 PID: 6184 Comm: syz-executor Not tainted 6.13.0-syzkaller-09196-gcd45f362fc1f #0
[   68.535924][ T6184] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   68.546001][ T6184] Call Trace:
[   68.549302][ T6184]  <TASK>
[   68.552366][ T6184]  dump_stack_lvl+0x3d/0x1f0
[   68.557077][ T6184]  panic+0x71d/0x800
[   68.561009][ T6184]  ? __pfx_panic+0x10/0x10
[   68.565626][ T6184]  ? irqentry_exit+0x3b/0x90
[   68.570350][ T6184]  ? lockdep_hardirqs_on+0x7c/0x110
[   68.575599][ T6184]  ? preempt_schedule_thunk+0x1a/0x30
[   68.581013][ T6184]  ? preempt_schedule_common+0x44/0xc0
[   68.586709][ T6184]  ? check_panic_on_warn+0x1f/0xb0
[   68.591947][ T6184]  check_panic_on_warn+0xab/0xb0
[   68.596976][ T6184]  end_report+0x117/0x180
[   68.601457][ T6184]  kasan_report+0xe9/0x110
[   68.606041][ T6184]  ? binder_add_device+0xa4/0xb0
[   68.611465][ T6184]  ? binder_add_device+0xa4/0xb0
[   68.616525][ T6184]  binder_add_device+0xa4/0xb0
[   68.621757][ T6184]  binderfs_binder_device_create.isra.0+0x8ec/0xad0
[   68.628485][ T6184]  binderfs_fill_super+0x848/0x1240
[   68.633724][ T6184]  ? __pfx_binderfs_fill_super+0x10/0x10
[   68.639506][ T6184]  ? shrinker_register+0x1a8/0x260
[   68.644674][ T6184]  ? sget_fc+0x488/0xb90
[   68.648966][ T6184]  ? apparmor_capable+0x114/0x1d0
[   68.654269][ T6184]  ? __pfx_set_anon_super_fc+0x10/0x10
[   68.659969][ T6184]  ? __pfx_binderfs_fill_super+0x10/0x10
[   68.665826][ T6184]  get_tree_nodev+0xda/0x190
[   68.670449][ T6184]  vfs_get_tree+0x8b/0x340
[   68.675313][ T6184]  path_mount+0x6e1/0x1f00
[   68.679789][ T6184]  ? kmem_cache_free+0x2e2/0x4d0
[   68.684854][ T6184]  ? __pfx_path_mount+0x10/0x10
[   68.689740][ T6184]  ? putname+0x13c/0x180
[   68.694233][ T6184]  __x64_sys_mount+0x28f/0x310
[   68.699033][ T6184]  ? __pfx___x64_sys_mount+0x10/0x10
[   68.704362][ T6184]  ? do_user_addr_fault+0x83d/0x13f0
[   68.709855][ T6184]  do_syscall_64+0xcd/0x250
[   68.714411][ T6184]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.720432][ T6184] RIP: 0033:0x7fcb1458e54a
[   68.724874][ T6184] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   68.744598][ T6184] RSP: 002b:00007ffc400b7a78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   68.753404][ T6184] RAX: ffffffffffffffda RBX: 00007fcb1460e663 RCX: 00007fcb1458e54a
[   68.762678][ T6184] RDX: 00007fcb1461dda7 RSI: 00007fcb1460e663 RDI: 00007fcb1461dda7
[   68.770694][ T6184] RBP: 00007ffc400b7af0 R08: 0000000000000000 R09: 0000000000000000
[   68.779225][ T6184] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc400b7af0
[   68.787482][ T6184] R13: 00007ffc400b7af8 R14: 0000000000000009 R15: 0000000000000000
[   68.795874][ T6184]  </TASK>
[   68.799679][ T6184] Kernel Offset: disabled
[   68.804589][ T6184] Rebooting in 86400 seconds..