last executing test programs:

2.004808589s ago: executing program 0 (id=364):
statx(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, &(0x7f0000000000))

2.000984574s ago: executing program 0 (id=365):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/relabel', 0x2, 0x0)

1.942024181s ago: executing program 0 (id=369):
get_robust_list(0x0, &(0x7f0000000000), &(0x7f0000000000))

1.941593214s ago: executing program 0 (id=372):
request_key(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0)

1.903690939s ago: executing program 0 (id=374):
rt_sigaction(0x0, &(0x7f0000000000), 0x0, 0x0, &(0x7f0000000000))

1.903551996s ago: executing program 0 (id=375):
pause()

565.875529ms ago: executing program 4 (id=554):
io_destroy(0x0)

565.283652ms ago: executing program 4 (id=558):
unshare(0x0)

514.195864ms ago: executing program 4 (id=562):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/snd/timer', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/snd/timer', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/snd/timer', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/snd/timer', 0x800, 0x0)

513.308525ms ago: executing program 4 (id=566):
renameat2(0xffffffffffffffff, &(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000000), 0x0)

450.032895ms ago: executing program 4 (id=572):
syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4)

444.359484ms ago: executing program 4 (id=578):
rt_sigreturn()

373.546498ms ago: executing program 3 (id=585):
iopl(0x0)

367.829928ms ago: executing program 2 (id=586):
syz_open_dev$swradio(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$swradio(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$swradio(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$swradio(&(0x7f0000000100), 0x0, 0x800)

354.54447ms ago: executing program 3 (id=587):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer', 0x800, 0x0)

301.434505ms ago: executing program 2 (id=588):
select(0x0, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000))

300.68926ms ago: executing program 3 (id=590):
sched_setattr(0x0, &(0x7f0000000000), 0x0)

300.561926ms ago: executing program 1 (id=591):
mq_notify(0xffffffffffffffff, &(0x7f0000000000))

300.181189ms ago: executing program 2 (id=592):
getrusage(0x0, &(0x7f0000000000))

299.750338ms ago: executing program 3 (id=593):
syz_open_dev$hidraw(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$hidraw(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$hidraw(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$hidraw(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$hidraw(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$hidraw(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$hidraw(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$hidraw(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$hidraw(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$hidraw(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$hidraw(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$hidraw(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$hidraw(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$hidraw(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$hidraw(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$hidraw(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$hidraw(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$hidraw(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$hidraw(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$hidraw(&(0x7f0000000500), 0x4, 0x800)

256.90781ms ago: executing program 1 (id=594):
getdents64(0xffffffffffffffff, &(0x7f0000000000), 0x0)

256.809162ms ago: executing program 2 (id=595):
inotify_add_watch(0xffffffffffffffff, &(0x7f0000000000), 0x0)

256.694399ms ago: executing program 1 (id=596):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm_plock', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm_plock', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm_plock', 0x800, 0x0)

256.645394ms ago: executing program 2 (id=597):
ioperm(0x0, 0x0, 0x0)

256.573172ms ago: executing program 1 (id=598):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cuse', 0x2, 0x0)

256.428357ms ago: executing program 3 (id=599):
process_vm_readv(0x0, &(0x7f0000000000), 0x0, &(0x7f0000000000), 0x0, 0x0)

206.189927ms ago: executing program 2 (id=600):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcsa', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcsa', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcsa', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vcsa', 0x800, 0x0)

206.06477ms ago: executing program 3 (id=601):
shmdt(0x0)

205.905028ms ago: executing program 1 (id=602):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio1', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio1', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/audio1', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/audio1', 0x800, 0x0)

0s ago: executing program 1 (id=605):
msgsnd(0x0, &(0x7f0000000000), 0x0, 0x0)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.121' (ED25519) to the list of known hosts.
[   49.962472][   T29] audit: type=1400 audit(1738041383.597:88): avc:  denied  { mounton } for  pid=5801 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1925 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[   49.967669][ T5801] cgroup: Unknown subsys name 'net'
[   49.985210][   T29] audit: type=1400 audit(1738041383.607:89): avc:  denied  { mount } for  pid=5801 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   50.014948][   T29] audit: type=1400 audit(1738041383.657:90): avc:  denied  { unmount } for  pid=5801 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   50.176352][ T5801] cgroup: Unknown subsys name 'cpuset'
[   50.184163][ T5801] cgroup: Unknown subsys name 'rlimit'
[   50.311841][   T29] audit: type=1400 audit(1738041383.947:91): avc:  denied  { setattr } for  pid=5801 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=820 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   50.352192][   T29] audit: type=1400 audit(1738041383.947:92): avc:  denied  { create } for  pid=5801 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   50.372749][   T29] audit: type=1400 audit(1738041383.947:93): avc:  denied  { write } for  pid=5801 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   50.393170][   T29] audit: type=1400 audit(1738041383.947:94): avc:  denied  { read } for  pid=5801 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   50.413473][   T29] audit: type=1400 audit(1738041383.947:95): avc:  denied  { mounton } for  pid=5801 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[   50.438476][   T29] audit: type=1400 audit(1738041383.947:96): avc:  denied  { mount } for  pid=5801 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[   50.461804][   T29] audit: type=1400 audit(1738041383.977:97): avc:  denied  { read } for  pid=5485 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1
[   50.464282][ T5806] SELinux:  Context root:object_r:swapfile_t is not valid (left unmapped).
Setting up swapspace version 1, size = 127995904 bytes
[   51.423760][ T5801] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   53.290999][ T5856] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   54.857756][ T6098] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   54.985115][   T29] kauditd_printk_skb: 96 callbacks suppressed
[   54.985130][   T29] audit: type=1400 audit(1738041388.627:194): avc:  denied  { create } for  pid=6115 comm="syz.1.290" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=dccp_socket permissive=1
[   55.167098][   T29] audit: type=1400 audit(1738041388.807:195): avc:  denied  { create } for  pid=6137 comm="syz.0.311" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_crypto_socket permissive=1
[   55.390365][   T29] audit: type=1400 audit(1738041389.027:196): avc:  denied  { create } for  pid=6166 comm="syz.0.339" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=kcm_socket permissive=1
[   55.419823][   T29] audit: type=1400 audit(1738041389.057:197): avc:  denied  { create } for  pid=6172 comm="syz.4.341" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=caif_socket permissive=1
[   55.580417][   T29] audit: type=1400 audit(1738041389.217:198): avc:  denied  { read } for  pid=6190 comm="syz.3.360" name="usbmon0" dev="devtmpfs" ino=716 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1
[   55.603561][    C1] vkms_vblank_simulate: vblank timer overrun
[   55.681512][   T29] audit: type=1400 audit(1738041389.217:199): avc:  denied  { open } for  pid=6190 comm="syz.3.360" path="/dev/usbmon0" dev="devtmpfs" ino=716 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1
[   55.705114][    C1] vkms_vblank_simulate: vblank timer overrun
[   55.775421][   T29] audit: type=1400 audit(1738041389.217:200): avc:  denied  { write } for  pid=6190 comm="syz.3.360" name="usbmon0" dev="devtmpfs" ino=716 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1
[   55.864672][   T29] audit: type=1400 audit(1738041389.377:201): avc:  denied  { read } for  pid=6208 comm="syz.2.377" name="nullb0" dev="devtmpfs" ino=696 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=blk_file permissive=1
[   55.887543][    C1] vkms_vblank_simulate: vblank timer overrun
[   55.982453][   T29] audit: type=1400 audit(1738041389.377:202): avc:  denied  { open } for  pid=6208 comm="syz.2.377" path="/dev/nullb0" dev="devtmpfs" ino=696 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=blk_file permissive=1
[   56.005339][    C1] vkms_vblank_simulate: vblank timer overrun
[   56.073327][   T29] audit: type=1400 audit(1738041389.377:203): avc:  denied  { write } for  pid=6208 comm="syz.2.377" name="nullb0" dev="devtmpfs" ino=696 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=blk_file permissive=1
[   56.368495][ T6289] mmap: syz.4.459 (6289) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.
[   57.735972][ T6435] ==================================================================
[   57.744071][ T6435] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[   57.751806][ T6435] Write of size 8 at addr ffff888076318808 by task syz-executor/6435
[   57.759877][ T6435] 
[   57.762208][ T6435] CPU: 0 UID: 0 PID: 6435 Comm: syz-executor Not tainted 6.13.0-syzkaller-08997-gf34b580514c9 #0
[   57.762231][ T6435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   57.762241][ T6435] Call Trace:
[   57.762248][ T6435]  <TASK>
[   57.762256][ T6435]  dump_stack_lvl+0x116/0x1f0
[   57.762290][ T6435]  print_report+0xc3/0x620
[   57.762310][ T6435]  ? __virt_addr_valid+0x5e/0x590
[   57.762328][ T6435]  ? __phys_addr+0xc6/0x150
[   57.762346][ T6435]  kasan_report+0xd9/0x110
[   57.762364][ T6435]  ? binder_add_device+0xa4/0xb0
[   57.762384][ T6435]  ? binder_add_device+0xa4/0xb0
[   57.762406][ T6435]  binder_add_device+0xa4/0xb0
[   57.762425][ T6435]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   57.762453][ T6435]  binderfs_fill_super+0x8d6/0x1360
[   57.762477][ T6435]  ? __pfx_binderfs_fill_super+0x10/0x10
[   57.762508][ T6435]  ? shrinker_register+0x1a8/0x260
[   57.762534][ T6435]  ? sget_fc+0x808/0xc20
[   57.762559][ T6435]  ? __pfx_set_anon_super_fc+0x10/0x10
[   57.762584][ T6435]  ? __pfx_binderfs_fill_super+0x10/0x10
[   57.762606][ T6435]  get_tree_nodev+0xda/0x190
[   57.762632][ T6435]  vfs_get_tree+0x8b/0x340
[   57.762654][ T6435]  path_mount+0x14e6/0x1f10
[   57.762673][ T6435]  ? kmem_cache_free+0x2e2/0x4d0
[   57.762690][ T6435]  ? __pfx_path_mount+0x10/0x10
[   57.762710][ T6435]  ? putname+0x13c/0x180
[   57.762730][ T6435]  __x64_sys_mount+0x28f/0x310
[   57.762749][ T6435]  ? __pfx___x64_sys_mount+0x10/0x10
[   57.762772][ T6435]  do_syscall_64+0xcd/0x250
[   57.762793][ T6435]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   57.762818][ T6435] RIP: 0033:0x7f401a18e4ca
[   57.762834][ T6435] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   57.762851][ T6435] RSP: 002b:00007ffcef89dcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   57.762868][ T6435] RAX: ffffffffffffffda RBX: 00007f401a20e663 RCX: 00007f401a18e4ca
[   57.762881][ T6435] RDX: 00007f401a21dd57 RSI: 00007f401a20e663 RDI: 00007f401a21dd57
[   57.762892][ T6435] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   57.762903][ T6435] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f401a228440
[   57.762914][ T6435] R13: 00007ffcef89dd78 R14: 0000000000000009 R15: 0000000000000000
[   57.762937][ T6435]  </TASK>
[   57.762943][ T6435] 
[   57.990114][ T6435] Allocated by task 5816:
[   57.994438][ T6435]  kasan_save_stack+0x33/0x60
[   57.999116][ T6435]  kasan_save_track+0x14/0x30
[   58.003795][ T6435]  __kasan_kmalloc+0xaa/0xb0
[   58.008389][ T6435]  binderfs_binder_device_create.isra.0+0x17a/0xb70
[   58.014987][ T6435]  binderfs_fill_super+0x8d6/0x1360
[   58.020189][ T6435]  get_tree_nodev+0xda/0x190
[   58.024787][ T6435]  vfs_get_tree+0x8b/0x340
[   58.029207][ T6435]  path_mount+0x14e6/0x1f10
[   58.033711][ T6435]  __x64_sys_mount+0x28f/0x310
[   58.038504][ T6435]  do_syscall_64+0xcd/0x250
[   58.043011][ T6435]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.048913][ T6435] 
[   58.051228][ T6435] Freed by task 5816:
[   58.055198][ T6435]  kasan_save_stack+0x33/0x60
[   58.059880][ T6435]  kasan_save_track+0x14/0x30
[   58.064558][ T6435]  kasan_save_free_info+0x3b/0x60
[   58.069589][ T6435]  __kasan_slab_free+0x51/0x70
[   58.074359][ T6435]  kfree+0x2c4/0x4d0
[   58.078263][ T6435]  binderfs_evict_inode+0x1e0/0x250
[   58.083469][ T6435]  evict+0x409/0x960
[   58.087369][ T6435]  iput+0x52a/0x890
[   58.091194][ T6435]  dentry_unlink_inode+0x29c/0x480
[   58.096312][ T6435]  __dentry_kill+0x1d0/0x600
[   58.101082][ T6435]  shrink_dentry_list+0x140/0x5d0
[   58.106112][ T6435]  shrink_dcache_parent+0xe2/0x530
[   58.111232][ T6435]  shrink_dcache_for_umount+0xa1/0x3e0
[   58.116698][ T6435]  generic_shutdown_super+0x6c/0x390
[   58.122025][ T6435]  kill_litter_super+0x70/0xa0
[   58.126805][ T6435]  binderfs_kill_super+0x3b/0xa0
[   58.131920][ T6435]  deactivate_locked_super+0xbe/0x1a0
[   58.137307][ T6435]  deactivate_super+0xde/0x100
[   58.142082][ T6435]  cleanup_mnt+0x222/0x450
[   58.146511][ T6435]  task_work_run+0x14e/0x250
[   58.151112][ T6435]  do_exit+0xad8/0x2d70
[   58.155273][ T6435]  do_group_exit+0xd3/0x2a0
[   58.159780][ T6435]  get_signal+0x24ed/0x26c0
[   58.164292][ T6435]  arch_do_signal_or_restart+0x90/0x7e0
[   58.169838][ T6435]  syscall_exit_to_user_mode+0x150/0x2a0
[   58.175473][ T6435]  do_syscall_64+0xda/0x250
[   58.179982][ T6435]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.185913][ T6435] 
[   58.188239][ T6435] The buggy address belongs to the object at ffff888076318800
[   58.188239][ T6435]  which belongs to the cache kmalloc-512 of size 512
[   58.202561][ T6435] The buggy address is located 8 bytes inside of
[   58.202561][ T6435]  freed 512-byte region [ffff888076318800, ffff888076318a00)
[   58.216195][ T6435] 
[   58.218523][ T6435] The buggy address belongs to the physical page:
[   58.224956][ T6435] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x76318
[   58.233724][ T6435] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   58.242400][ T6435] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   58.249965][ T6435] page_type: f5(slab)
[   58.253954][ T6435] raw: 00fff00000000040 ffff88801b041c80 ffffea0000d2a000 dead000000000002
[   58.262540][ T6435] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   58.271135][ T6435] head: 00fff00000000040 ffff88801b041c80 ffffea0000d2a000 dead000000000002
[   58.279814][ T6435] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   58.288491][ T6435] head: 00fff00000000002 ffffea0001d8c601 ffffffffffffffff 0000000000000000
[   58.297166][ T6435] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   58.305835][ T6435] page dumped because: kasan: bad access detected
[   58.312258][ T6435] page_owner tracks the page as allocated
[   58.317968][ T6435] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5816, tgid 5816 (syz-executor), ts 53138192474, free_ts 13777400359
[   58.339338][ T6435]  post_alloc_hook+0x181/0x1b0
[   58.344124][ T6435]  get_page_from_freelist+0xfce/0x2f80
[   58.349583][ T6435]  __alloc_frozen_pages_noprof+0x221/0x2470
[   58.355479][ T6435]  alloc_pages_mpol+0x1fc/0x540
[   58.360335][ T6435]  new_slab+0x23d/0x330
[   58.364496][ T6435]  ___slab_alloc+0xc5d/0x1720
[   58.369180][ T6435]  __slab_alloc.constprop.0+0x56/0xb0
[   58.374561][ T6435]  __kmalloc_cache_noprof+0xfa/0x410
[   58.379850][ T6435]  binderfs_fill_super+0x73d/0x1360
[   58.385054][ T6435]  get_tree_nodev+0xda/0x190
[   58.389658][ T6435]  vfs_get_tree+0x8b/0x340
[   58.394082][ T6435]  path_mount+0x14e6/0x1f10
[   58.398584][ T6435]  __x64_sys_mount+0x28f/0x310
[   58.403714][ T6435]  do_syscall_64+0xcd/0x250
[   58.408221][ T6435]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.414124][ T6435] page last free pid 1 tgid 1 stack trace:
[   58.419934][ T6435]  free_frozen_pages+0x6db/0xfb0
[   58.424878][ T6435]  free_contig_range+0x133/0x3f0
[   58.429831][ T6435]  destroy_args+0x66f/0x830
[   58.434344][ T6435]  debug_vm_pgtable+0x130f/0x2d60
[   58.439389][ T6435]  do_one_initcall+0x128/0x700
[   58.444158][ T6435]  kernel_init_freeable+0x5c7/0x900
[   58.449364][ T6435]  kernel_init+0x1c/0x2b0
[   58.453710][ T6435]  ret_from_fork+0x45/0x80
[   58.458131][ T6435]  ret_from_fork_asm+0x1a/0x30
[   58.462900][ T6435] 
[   58.465230][ T6435] Memory state around the buggy address:
[   58.470857][ T6435]  ffff888076318700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   58.478922][ T6435]  ffff888076318780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   58.486981][ T6435] >ffff888076318800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.495035][ T6435]                       ^
[   58.499357][ T6435]  ffff888076318880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.507427][ T6435]  ffff888076318900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.515485][ T6435] ==================================================================
[   58.535838][ T6435] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   58.543053][ T6435] CPU: 0 UID: 0 PID: 6435 Comm: syz-executor Not tainted 6.13.0-syzkaller-08997-gf34b580514c9 #0
[   58.553595][ T6435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   58.563652][ T6435] Call Trace:
[   58.566934][ T6435]  <TASK>
[   58.569877][ T6435]  dump_stack_lvl+0x3d/0x1f0
[   58.574484][ T6435]  panic+0x71d/0x800
[   58.578389][ T6435]  ? __pfx_panic+0x10/0x10
[   58.582807][ T6435]  ? irqentry_exit+0x3b/0x90
[   58.587401][ T6435]  ? lockdep_hardirqs_on+0x7c/0x110
[   58.592604][ T6435]  ? preempt_schedule_thunk+0x1a/0x30
[   58.597986][ T6435]  ? preempt_schedule_common+0x44/0xc0
[   58.603456][ T6435]  ? check_panic_on_warn+0x1f/0xb0
[   58.608576][ T6435]  check_panic_on_warn+0xab/0xb0
[   58.613521][ T6435]  end_report+0x117/0x180
[   58.617860][ T6435]  kasan_report+0xe9/0x110
[   58.622291][ T6435]  ? binder_add_device+0xa4/0xb0
[   58.627321][ T6435]  ? binder_add_device+0xa4/0xb0
[   58.632270][ T6435]  binder_add_device+0xa4/0xb0
[   58.637041][ T6435]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   58.643647][ T6435]  binderfs_fill_super+0x8d6/0x1360
[   58.648880][ T6435]  ? __pfx_binderfs_fill_super+0x10/0x10
[   58.654538][ T6435]  ? shrinker_register+0x1a8/0x260
[   58.659662][ T6435]  ? sget_fc+0x808/0xc20
[   58.663919][ T6435]  ? __pfx_set_anon_super_fc+0x10/0x10
[   58.669388][ T6435]  ? __pfx_binderfs_fill_super+0x10/0x10
[   58.675029][ T6435]  get_tree_nodev+0xda/0x190
[   58.679636][ T6435]  vfs_get_tree+0x8b/0x340
[   58.684062][ T6435]  path_mount+0x14e6/0x1f10
[   58.688585][ T6435]  ? kmem_cache_free+0x2e2/0x4d0
[   58.693532][ T6435]  ? __pfx_path_mount+0x10/0x10
[   58.698395][ T6435]  ? putname+0x13c/0x180
[   58.702651][ T6435]  __x64_sys_mount+0x28f/0x310
[   58.707428][ T6435]  ? __pfx___x64_sys_mount+0x10/0x10
[   58.712725][ T6435]  do_syscall_64+0xcd/0x250
[   58.717238][ T6435]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.723151][ T6435] RIP: 0033:0x7f401a18e4ca
[   58.727583][ T6435] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   58.747211][ T6435] RSP: 002b:00007ffcef89dcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   58.755632][ T6435] RAX: ffffffffffffffda RBX: 00007f401a20e663 RCX: 00007f401a18e4ca
[   58.763606][ T6435] RDX: 00007f401a21dd57 RSI: 00007f401a20e663 RDI: 00007f401a21dd57
[   58.771577][ T6435] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   58.779546][ T6435] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f401a228440
[   58.787516][ T6435] R13: 00007ffcef89dd78 R14: 0000000000000009 R15: 0000000000000000
[   58.795487][ T6435]  </TASK>
[   58.798706][ T6435] Kernel Offset: disabled
[   58.803027][ T6435] Rebooting in 86400 seconds..