last executing test programs: 3.71636235s ago: executing program 0 (id=170): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/tty', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/tty', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/tty', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/tty', 0x800, 0x0) 3.456006988s ago: executing program 0 (id=172): lchown(&(0x7f0000000000), 0x0, 0x0) 3.141648968s ago: executing program 0 (id=173): landlock_create_ruleset(&(0x7f0000000000), 0x0, 0x0) 2.879292055s ago: executing program 0 (id=175): sendfile64(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0) 2.686525661s ago: executing program 0 (id=177): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/damon/target_ids', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/debug/damon/target_ids', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/kernel/debug/damon/target_ids', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/sys/kernel/debug/damon/target_ids', 0x800, 0x0) 2.506818576s ago: executing program 0 (id=179): syz_open_dev$hiddev(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$hiddev(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$hiddev(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$hiddev(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$hiddev(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$hiddev(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$hiddev(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$hiddev(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$hiddev(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$hiddev(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$hiddev(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$hiddev(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$hiddev(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$hiddev(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$hiddev(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$hiddev(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$hiddev(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$hiddev(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$hiddev(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$hiddev(&(0x7f0000000500), 0x4, 0x800) 2.137340737s ago: executing program 1 (id=181): remap_file_pages(0x0, 0x0, 0x0, 0x0, 0x0) 1.853706306s ago: executing program 1 (id=182): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/binder', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/binder', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/binder', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/binder', 0x800, 0x0) 1.663285751s ago: executing program 1 (id=183): setpriority(0x0, 0x0, 0x0) 1.403728799s ago: executing program 1 (id=184): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ttyS3', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ttyS3', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ttyS3', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ttyS3', 0x800, 0x0) 1.263067313s ago: executing program 1 (id=185): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/adsp1', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/adsp1', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/adsp1', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/adsp1', 0x800, 0x0) 0s ago: executing program 1 (id=186): socket$pppl2tp(0x18, 0x1, 0x1) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:43482' (ED25519) to the list of known hosts. [ 181.486858][ T29] audit: type=1400 audit(180.930:58): avc: denied { name_bind } for pid=3276 comm="sshd" src=30005 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 182.209128][ T29] audit: type=1400 audit(181.650:59): avc: denied { execute } for pid=3278 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 182.226630][ T29] audit: type=1400 audit(181.660:60): avc: denied { execute_no_trans } for pid=3278 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 186.758626][ T29] audit: type=1400 audit(186.200:61): avc: denied { mounton } for pid=3278 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1736 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 186.779240][ T29] audit: type=1400 audit(186.220:62): avc: denied { mount } for pid=3278 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 186.840752][ T3278] cgroup: Unknown subsys name 'net' [ 186.880988][ T29] audit: type=1400 audit(186.330:63): avc: denied { unmount } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 187.401930][ T3278] cgroup: Unknown subsys name 'cpuset' [ 187.464093][ T3278] cgroup: Unknown subsys name 'rlimit' [ 188.053521][ T29] audit: type=1400 audit(187.500:64): avc: denied { setattr } for pid=3278 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 188.062047][ T29] audit: type=1400 audit(187.500:65): avc: denied { create } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 188.063849][ T29] audit: type=1400 audit(187.510:66): avc: denied { write } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 188.072080][ T29] audit: type=1400 audit(187.520:67): avc: denied { module_request } for pid=3278 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 188.359799][ T29] audit: type=1400 audit(187.810:68): avc: denied { read } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 188.442224][ T29] audit: type=1400 audit(187.890:69): avc: denied { mounton } for pid=3278 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 188.449483][ T29] audit: type=1400 audit(187.890:70): avc: denied { mount } for pid=3278 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 189.182451][ T3281] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 189.384779][ T3278] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 197.236771][ T29] kauditd_printk_skb: 4 callbacks suppressed [ 197.236944][ T29] audit: type=1400 audit(196.680:75): avc: denied { execmem } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 197.350775][ T29] audit: type=1400 audit(196.800:76): avc: denied { read } for pid=3284 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 197.361242][ T29] audit: type=1400 audit(196.800:77): avc: denied { open } for pid=3284 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 197.388235][ T29] audit: type=1400 audit(196.840:78): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 198.047902][ T29] audit: type=1400 audit(197.500:79): avc: denied { mount } for pid=3285 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 198.069023][ T29] audit: type=1400 audit(197.500:80): avc: denied { mounton } for pid=3285 comm="syz-executor" path="/syzkaller.660yAR/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 198.070104][ T29] audit: type=1400 audit(197.510:81): avc: denied { mount } for pid=3285 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 198.084895][ T29] audit: type=1400 audit(197.530:82): avc: denied { mounton } for pid=3285 comm="syz-executor" path="/syzkaller.660yAR/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 198.096599][ T29] audit: type=1400 audit(197.540:83): avc: denied { mounton } for pid=3285 comm="syz-executor" path="/syzkaller.660yAR/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2607 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 198.113085][ T29] audit: type=1400 audit(197.560:84): avc: denied { unmount } for pid=3285 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 204.604625][ T29] kauditd_printk_skb: 9 callbacks suppressed [ 204.604826][ T29] audit: type=1400 audit(204.050:94): avc: denied { create } for pid=3329 comm="syz.0.41" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 205.079894][ T29] audit: type=1400 audit(204.530:95): avc: denied { read } for pid=3334 comm="syz.0.46" name="ubi_ctrl" dev="devtmpfs" ino=686 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 205.082804][ T29] audit: type=1400 audit(204.530:96): avc: denied { open } for pid=3334 comm="syz.0.46" path="/dev/ubi_ctrl" dev="devtmpfs" ino=686 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 205.094917][ T29] audit: type=1400 audit(204.540:97): avc: denied { write } for pid=3334 comm="syz.0.46" name="ubi_ctrl" dev="devtmpfs" ino=686 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 209.516201][ T29] audit: type=1400 audit(208.960:98): avc: denied { create } for pid=3365 comm="syz.0.71" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=pppox_socket permissive=1 [ 210.543734][ T29] audit: type=1400 audit(209.990:99): avc: denied { create } for pid=3371 comm="syz.0.77" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=nfc_socket permissive=1 [ 213.369328][ T29] audit: type=1400 audit(212.810:100): avc: denied { read } for pid=3387 comm="syz.1.93" name="uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 213.374727][ T29] audit: type=1400 audit(212.820:101): avc: denied { open } for pid=3387 comm="syz.1.93" path="/dev/uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 213.410777][ T29] audit: type=1400 audit(212.860:102): avc: denied { write } for pid=3387 comm="syz.1.93" name="uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 214.067177][ T29] audit: type=1400 audit(213.490:103): avc: denied { read } for pid=3390 comm="syz.0.96" name="vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 214.069122][ T29] audit: type=1400 audit(213.510:104): avc: denied { open } for pid=3390 comm="syz.0.96" path="/dev/vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 214.103778][ T29] audit: type=1400 audit(213.540:105): avc: denied { write } for pid=3390 comm="syz.0.96" name="vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 217.549818][ T29] audit: type=1400 audit(217.000:106): avc: denied { create } for pid=3411 comm="syz.0.117" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 219.474819][ T29] audit: type=1400 audit(218.920:107): avc: denied { create } for pid=3419 comm="syz.0.124" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=xdp_socket permissive=1 [ 222.212443][ T29] audit: type=1400 audit(221.660:108): avc: denied { sys_module } for pid=3435 comm="syz.0.140" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 228.630616][ T3476] mmap: syz.1.181 (3476) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 230.897615][ T3478] ================================================================== [ 230.898771][ T3478] BUG: KASAN: slab-use-after-free in binder_add_device+0x98/0xb0 [ 230.899922][ T3478] Write of size 8 at addr ffff0000126a7408 by task syz-executor/3478 [ 230.900610][ T3478] [ 230.902486][ T3478] CPU: 0 UID: 0 PID: 3478 Comm: syz-executor Not tainted 6.13.0-syzkaller-09030-g6d61a53dd6f5 #0 [ 230.902973][ T3478] Hardware name: linux,dummy-virt (DT) [ 230.903343][ T3478] Call trace: [ 230.903515][ T3478] show_stack+0x18/0x24 (C) [ 230.903712][ T3478] dump_stack_lvl+0xa4/0xf4 [ 230.903776][ T3478] print_report+0xf4/0x5a0 [ 230.903822][ T3478] kasan_report+0xc8/0x108 [ 230.903856][ T3478] __asan_report_store8_noabort+0x20/0x2c [ 230.903895][ T3478] binder_add_device+0x98/0xb0 [ 230.903932][ T3478] binderfs_binder_device_create.isra.0+0x798/0x960 [ 230.903973][ T3478] binderfs_fill_super+0x668/0xe9c [ 230.904010][ T3478] get_tree_nodev+0xac/0x148 [ 230.904048][ T3478] binderfs_fs_context_get_tree+0x18/0x24 [ 230.904086][ T3478] vfs_get_tree+0x74/0x280 [ 230.904124][ T3478] path_mount+0x750/0x1684 [ 230.904163][ T3478] __arm64_sys_mount+0x26c/0x4d8 [ 230.904201][ T3478] invoke_syscall+0x6c/0x258 [ 230.904236][ T3478] el0_svc_common.constprop.0+0xac/0x230 [ 230.904270][ T3478] do_el0_svc_compat+0x40/0x68 [ 230.904303][ T3478] el0_svc_compat+0x4c/0x17c [ 230.904341][ T3478] el0t_32_sync_handler+0x98/0x13c [ 230.904391][ T3478] el0t_32_sync+0x19c/0x1a0 [ 230.904575][ T3478] [ 230.911211][ T3478] Allocated by task 3284: [ 230.911789][ T3478] kasan_save_stack+0x3c/0x64 [ 230.912130][ T3478] kasan_save_track+0x20/0x3c [ 230.912428][ T3478] kasan_save_alloc_info+0x40/0x54 [ 230.912747][ T3478] __kasan_kmalloc+0xb8/0xbc [ 230.913042][ T3478] __kmalloc_cache_noprof+0x1b4/0x3d0 [ 230.913371][ T3478] binderfs_binder_device_create.isra.0+0x140/0x960 [ 230.913693][ T3478] binderfs_fill_super+0x668/0xe9c [ 230.914041][ T3478] get_tree_nodev+0xac/0x148 [ 230.914346][ T3478] binderfs_fs_context_get_tree+0x18/0x24 [ 230.914785][ T3478] vfs_get_tree+0x74/0x280 [ 230.915117][ T3478] path_mount+0x750/0x1684 [ 230.915595][ T3478] __arm64_sys_mount+0x26c/0x4d8 [ 230.915903][ T3478] invoke_syscall+0x6c/0x258 [ 230.916208][ T3478] el0_svc_common.constprop.0+0xac/0x230 [ 230.916657][ T3478] do_el0_svc_compat+0x40/0x68 [ 230.917023][ T3478] el0_svc_compat+0x4c/0x17c [ 230.917391][ T3478] el0t_32_sync_handler+0x98/0x13c [ 230.917798][ T3478] el0t_32_sync+0x19c/0x1a0 [ 230.918125][ T3478] [ 230.918413][ T3478] Freed by task 3284: [ 230.918743][ T3478] kasan_save_stack+0x3c/0x64 [ 230.919042][ T3478] kasan_save_track+0x20/0x3c [ 230.919337][ T3478] kasan_save_free_info+0x4c/0x74 [ 230.919684][ T3478] __kasan_slab_free+0x50/0x6c [ 230.920022][ T3478] kfree+0x1bc/0x444 [ 230.920303][ T3478] binderfs_evict_inode+0x1c4/0x214 [ 230.920621][ T3478] evict+0x2d0/0x6b0 [ 230.920952][ T3478] iput+0x3b0/0x6b4 [ 230.921262][ T3478] dentry_unlink_inode+0x208/0x46c [ 230.921631][ T3478] __dentry_kill+0x150/0x52c [ 230.921979][ T3478] shrink_dentry_list+0x114/0x3a4 [ 230.922335][ T3478] shrink_dcache_parent+0x158/0x364 [ 230.922703][ T3478] shrink_dcache_for_umount+0x88/0x304 [ 230.923073][ T3478] generic_shutdown_super+0x60/0x2e8 [ 230.923464][ T3478] kill_litter_super+0x68/0xa4 [ 230.923874][ T3478] binderfs_kill_super+0x38/0x88 [ 230.924236][ T3478] deactivate_locked_super+0x98/0x17c [ 230.924626][ T3478] deactivate_super+0xb0/0xd4 [ 230.924960][ T3478] cleanup_mnt+0x174/0x324 [ 230.925437][ T3478] __cleanup_mnt+0x14/0x20 [ 230.925812][ T3478] task_work_run+0x128/0x210 [ 230.926163][ T3478] do_exit+0x7a0/0x2044 [ 230.926576][ T3478] do_group_exit+0xa4/0x208 [ 230.926918][ T3478] get_signal+0x1a60/0x1b08 [ 230.927259][ T3478] do_signal+0x1f4/0x620 [ 230.927622][ T3478] do_notify_resume+0x18c/0x258 [ 230.927976][ T3478] el0_svc_compat+0xfc/0x17c [ 230.928325][ T3478] el0t_32_sync_handler+0x98/0x13c [ 230.928692][ T3478] el0t_32_sync+0x19c/0x1a0 [ 230.929080][ T3478] [ 230.929443][ T3478] The buggy address belongs to the object at ffff0000126a7400 [ 230.929443][ T3478] which belongs to the cache kmalloc-512 of size 512 [ 230.930110][ T3478] The buggy address is located 8 bytes inside of [ 230.930110][ T3478] freed 512-byte region [ffff0000126a7400, ffff0000126a7600) [ 230.930706][ T3478] [ 230.931039][ T3478] The buggy address belongs to the physical page: [ 230.931834][ T3478] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x526a4 [ 230.932733][ T3478] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 230.933211][ T3478] anon flags: 0x1ffc00000000040(head|node=0|zone=0|lastcpupid=0x7ff) [ 230.934022][ T3478] page_type: f5(slab) [ 230.934627][ T3478] raw: 01ffc00000000040 ffff00000d401c80 0000000000000000 dead000000000001 [ 230.935039][ T3478] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 230.935756][ T3478] head: 01ffc00000000040 ffff00000d401c80 0000000000000000 dead000000000001 [ 230.936158][ T3478] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 230.936718][ T3478] head: 01ffc00000000002 fffffdffc049a901 ffffffffffffffff 0000000000000000 [ 230.937116][ T3478] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 230.937591][ T3478] page dumped because: kasan: bad access detected [ 230.937935][ T3478] [ 230.938196][ T3478] Memory state around the buggy address: [ 230.938798][ T3478] ffff0000126a7300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 230.939226][ T3478] ffff0000126a7380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 230.939658][ T3478] >ffff0000126a7400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 230.940067][ T3478] ^ [ 230.940413][ T3478] ffff0000126a7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 230.940788][ T3478] ffff0000126a7500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 230.941236][ T3478] ================================================================== SYZFAIL: failed to recv rpc [ 231.013119][ T3478] Disabling lock debugging due to kernel taint fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 231.106423][ T29] audit: type=1400 audit(230.490:109): avc: denied { mount } for pid=3478 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 VM DIAGNOSIS: 10:08:35 Registers: info registers vcpu 0 CPU#0 PC=ffff80008019867c X00=ffff8000887981a0 X01=ffff000016b13c80 X02=0000000000000000 X03=0000000000000000 X04=ffff8000853b500c X05=ffff8000887981ac X06=6e69617420746f4e X07=006465746e696174 X08=ffff8000887981ab X09=dfff800000000000 X10=ffff7000110f3035 X11=1ffff000110f3035 X12=ffff7000110f3036 X13=000000000000f1f1 X14=0000000000000000 X15=0000000000000000 X16=0000000000000000 X17=0000000000000000 X18=000000004dcb0a8b X19=ffff80008633d300 X20=ffff8000867fcfc0 X21=ffff000016b73700 X22=ffff000016b14500 X23=fffffdffc049a900 X24=0000000000000000 X25=0000000000000000 X26=0000000000000d96 X27=ffff80008633d340 X28=ffff000016ac4d60 X29=ffff8000a1d77620 X30=ffff80008019867c SP=ffff8000a1d77620 PSTATE=600000c5 -ZC- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:0000000000000000 Q02=0000000000000000:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800080979d00 X00=0000000000000004 X01=0000000000000002 X02=0000000000000010 X03=ffff8000a27d6cd8 X04=1ffff000144fadac X05=ffff8000a27d6d18 X06=ffff8000a27d6d30 X07=ffff8000a27d6de0 X08=ffff8000a27d6cd8 X09=dfff800000000000 X10=ffff7000144fad9a X11=1ffff000144fad9a X12=ffff7000144fad9b X13=ffff000014e70a90 X14=1ffff000110f3cfc X15=1fffe000029ce14e X16=0000000000000000 X17=ffff7fffe33c8000 X18=000000002226f921 X19=0000000000000001 X20=ffff800086d88488 X21=ffff8000853cd360 X22=ffff000014e70a90 X23=dead000000000122 X24=0000000000011ba4 X25=0000000000000000 X26=0000000000001f84 X27=000000000000000a X28=dfff800000000000 X29=ffff8000a27d6d50 X30=ffff80008532a414 SP=ffff8000a27d6d20 PSTATE=000000c5 ---- EL1h FPCR=00000000 FPSR=00000000 Q00=2c2c2c2c2c2c2c2c:2c2c2c2c2c2c2c2c Q01=0065770075253a73:2520277325272067 Q02=c000000c00000000:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=3003300330033003:3003300330033003 Q05=f00ff00ff00ff00f:f00ff00ff00ff00f Q06=c00c000000000000:c00c000000000000 Q07=0000aaaae6e94790:000002da00000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000002000:0000000000000000 Q17=000000000000000b:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000