Warning: Permanently added '10.128.0.210' (ED25519) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   81.575147][ T5826] ==================================================================
[   81.583344][ T5826] BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0
[   81.591103][ T5826] Write of size 8 at addr ffff88807ee6e008 by task syz-executor195/5826
[   81.599428][ T5826] 
[   81.601759][ T5826] CPU: 1 UID: 0 PID: 5826 Comm: syz-executor195 Not tainted 6.15.0-rc5-syzkaller-00022-g01f95500a162 #0 PREEMPT(full) 
[   81.601789][ T5826] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
executing program
executing program
executing program
executing program
executing program
[   81.601803][ T5826] Call Trace:
[   81.601812][ T5826]  <TASK>
[   81.601821][ T5826]  dump_stack_lvl+0x189/0x250
[   81.601858][ T5826]  ? __kasan_check_byte+0x12/0x40
[   81.601897][ T5826]  ? __pfx_dump_stack_lvl+0x10/0x10
[   81.601931][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   81.601958][ T5826]  ? lock_release+0x4b/0x3e0
[   81.601990][ T5826]  ? lock_release+0x4b/0x3e0
[   81.602025][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   81.602052][ T5826]  ? __virt_addr_valid+0x469/0x540
[   81.602085][ T5826]  print_report+0xb4/0x290
[   81.602114][ T5826]  ? binder_add_device+0x5f/0xa0
[   81.602144][ T5826]  kasan_report+0x118/0x150
[   81.602172][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   81.602201][ T5826]  ? binder_add_device+0x5f/0xa0
[   81.602237][ T5826]  binder_add_device+0x5f/0xa0
[   81.602268][ T5826]  binderfs_binder_device_create+0x8b7/0xaf0
[   81.602304][ T5826]  binderfs_fill_super+0xa0e/0xe90
[   81.602339][ T5826]  ? __pfx_binderfs_fill_super+0x10/0x10
[   81.602383][ T5826]  ? shrinker_register+0x16b/0x230
[   81.602408][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   81.602435][ T5826]  ? sget_fc+0x962/0xa40
[   81.602458][ T5826]  ? __pfx_set_anon_super_fc+0x10/0x10
[   81.602482][ T5826]  ? __pfx_binderfs_fill_super+0x10/0x10
[   81.602512][ T5826]  get_tree_nodev+0xbb/0x150
[   81.602543][ T5826]  vfs_get_tree+0x92/0x2b0
[   81.602571][ T5826]  do_new_mount+0x24a/0xa40
[   81.602606][ T5826]  __se_sys_mount+0x317/0x410
[   81.602640][ T5826]  ? __pfx___se_sys_mount+0x10/0x10
[   81.602673][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   81.602700][ T5826]  ? __x64_sys_mount+0x20/0xc0
[   81.602731][ T5826]  do_syscall_64+0xf6/0x210
[   81.602761][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   81.602787][ T5826]  ? exc_page_fault+0x91/0x110
[   81.602814][ T5826]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   81.602837][ T5826] RIP: 0033:0x7f101010fd1a
[   81.602855][ T5826] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 8e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   81.602875][ T5826] RSP: 002b:00007ffed855eb58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   81.602899][ T5826] RAX: ffffffffffffffda RBX: 00007f1010158038 RCX: 00007f101010fd1a
[   81.602917][ T5826] RDX: 00007f10101581b8 RSI: 00007f1010158038 RDI: 00007f10101581b8
[   81.602934][ T5826] RBP: 00007f1010158188 R08: 0000000000000000 R09: 0000000000000140
[   81.602949][ T5826] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f101015d1dc
[   81.602965][ T5826] R13: 00007f10101580f0 R14: 0000000000000001 R15: 0000000000000001
[   81.602990][ T5826]  </TASK>
[   81.602999][ T5826] 
[   81.875293][ T5826] Allocated by task 5829:
[   81.879622][ T5826]  kasan_save_track+0x3e/0x80
[   81.884310][ T5826]  __kasan_kmalloc+0x93/0xb0
[   81.888910][ T5826]  __kmalloc_cache_noprof+0x230/0x3d0
[   81.894296][ T5826]  binderfs_binder_device_create+0x17f/0xaf0
[   81.900291][ T5826]  binderfs_fill_super+0xa0e/0xe90
[   81.905417][ T5826]  get_tree_nodev+0xbb/0x150
[   81.910009][ T5826]  vfs_get_tree+0x92/0x2b0
[   81.914425][ T5826]  do_new_mount+0x24a/0xa40
[   81.918940][ T5826]  __se_sys_mount+0x317/0x410
[   81.923639][ T5826]  do_syscall_64+0xf6/0x210
[   81.928157][ T5826]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   81.934061][ T5826] 
[   81.936381][ T5826] Freed by task 1211:
[   81.940356][ T5826]  kasan_save_track+0x3e/0x80
[   81.945041][ T5826]  kasan_save_free_info+0x46/0x50
[   81.950085][ T5826]  __kasan_slab_free+0x62/0x70
[   81.954860][ T5826]  kfree+0x193/0x440
[   81.958767][ T5826]  binder_proc_dec_tmpref+0x228/0x4f0
[   81.964157][ T5826]  binder_deferred_func+0x13a5/0x1520
[   81.969562][ T5826]  process_scheduled_works+0xade/0x17a0
[   81.975124][ T5826]  worker_thread+0x8a0/0xda0
[   81.979828][ T5826]  kthread+0x711/0x8a0
[   81.983900][ T5826]  ret_from_fork+0x4e/0x80
[   81.988310][ T5826]  ret_from_fork_asm+0x1a/0x30
[   81.993080][ T5826] 
[   81.995400][ T5826] The buggy address belongs to the object at ffff88807ee6e000
[   81.995400][ T5826]  which belongs to the cache kmalloc-512 of size 512
[   82.009453][ T5826] The buggy address is located 8 bytes inside of
[   82.009453][ T5826]  freed 512-byte region [ffff88807ee6e000, ffff88807ee6e200)
[   82.023078][ T5826] 
[   82.025400][ T5826] The buggy address belongs to the physical page:
[   82.031809][ T5826] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ee6c
[   82.040570][ T5826] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   82.049068][ T5826] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   82.057049][ T5826] page_type: f5(slab)
[   82.061065][ T5826] raw: 00fff00000000040 ffff88801a041c80 0000000000000000 dead000000000001
[   82.069655][ T5826] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   82.078247][ T5826] head: 00fff00000000040 ffff88801a041c80 0000000000000000 dead000000000001
[   82.086952][ T5826] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   82.095662][ T5826] head: 00fff00000000002 ffffea0001fb9b01 00000000ffffffff 00000000ffffffff
[   82.104352][ T5826] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   82.113009][ T5826] page dumped because: kasan: bad access detected
[   82.119417][ T5826] page_owner tracks the page as allocated
[   82.125133][ T5826] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5197, tgid 5197 (udevd), ts 48874783124, free_ts 48529204943
[   82.145898][ T5826]  post_alloc_hook+0x1d8/0x230
[   82.150683][ T5826]  get_page_from_freelist+0x21ce/0x22b0
[   82.156252][ T5826]  __alloc_frozen_pages_noprof+0x181/0x370
[   82.162077][ T5826]  alloc_pages_mpol+0x232/0x4a0
[   82.166945][ T5826]  allocate_slab+0x8a/0x3b0
[   82.171454][ T5826]  ___slab_alloc+0xbfc/0x1480
[   82.176150][ T5826]  __kmalloc_cache_noprof+0x296/0x3d0
[   82.181541][ T5826]  kernfs_fop_open+0x397/0xca0
[   82.186315][ T5826]  do_dentry_open+0xdf3/0x1970
[   82.191098][ T5826]  vfs_open+0x3b/0x340
[   82.195182][ T5826]  path_openat+0x2ee5/0x3830
[   82.199779][ T5826]  do_filp_open+0x1fa/0x410
[   82.204288][ T5826]  do_sys_openat2+0x121/0x1c0
[   82.208984][ T5826]  __x64_sys_openat+0x138/0x170
[   82.213858][ T5826]  do_syscall_64+0xf6/0x210
[   82.218372][ T5826]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   82.224271][ T5826] page last free pid 5199 tgid 5199 stack trace:
[   82.230596][ T5826]  __free_frozen_pages+0xb0e/0xcd0
[   82.235725][ T5826]  __slab_free+0x326/0x400
[   82.240146][ T5826]  qlist_free_all+0x9a/0x140
[   82.244746][ T5826]  kasan_quarantine_reduce+0x148/0x160
[   82.250214][ T5826]  __kasan_slab_alloc+0x22/0x80
[   82.255076][ T5826]  __kmalloc_noprof+0x224/0x4f0
[   82.259938][ T5826]  tomoyo_realpath_from_path+0xe3/0x5d0
[   82.265497][ T5826]  tomoyo_path_perm+0x213/0x4b0
[   82.270357][ T5826]  security_inode_getattr+0x12f/0x330
[   82.275747][ T5826]  vfs_fstatat+0xad/0x160
[   82.280093][ T5826]  __x64_sys_newfstatat+0x11c/0x1a0
[   82.285305][ T5826]  do_syscall_64+0xf6/0x210
[   82.289808][ T5826]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   82.295708][ T5826] 
[   82.298029][ T5826] Memory state around the buggy address:
[   82.303658][ T5826]  ffff88807ee6df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   82.311813][ T5826]  ffff88807ee6df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   82.319878][ T5826] >ffff88807ee6e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   82.327939][ T5826]                       ^
[   82.332267][ T5826]  ffff88807ee6e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   82.340330][ T5826]  ffff88807ee6e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   82.348480][ T5826] ==================================================================
[   82.358811][ T5826] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   82.366068][ T5826] CPU: 0 UID: 0 PID: 5826 Comm: syz-executor195 Not tainted 6.15.0-rc5-syzkaller-00022-g01f95500a162 #0 PREEMPT(full) 
[   82.378498][ T5826] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
[   82.388551][ T5826] Call Trace:
[   82.391825][ T5826]  <TASK>
[   82.394748][ T5826]  dump_stack_lvl+0x99/0x250
[   82.399347][ T5826]  ? __asan_memcpy+0x40/0x70
[   82.403933][ T5826]  ? __pfx_dump_stack_lvl+0x10/0x10
[   82.409135][ T5826]  ? __pfx__printk+0x10/0x10
[   82.413722][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   82.419352][ T5826]  panic+0x2db/0x790
[   82.423251][ T5826]  ? __pfx_preempt_schedule+0x10/0x10
[   82.428619][ T5826]  ? __pfx_panic+0x10/0x10
[   82.433036][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   82.438669][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   82.444297][ T5826]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   82.450182][ T5826]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   82.456508][ T5826]  ? binder_add_device+0x5f/0xa0
[   82.461448][ T5826]  check_panic_on_warn+0x89/0xb0
[   82.466393][ T5826]  ? binder_add_device+0x5f/0xa0
[   82.471332][ T5826]  end_report+0x78/0x160
[   82.475575][ T5826]  kasan_report+0x129/0x150
[   82.480074][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   82.485705][ T5826]  ? binder_add_device+0x5f/0xa0
[   82.490646][ T5826]  binder_add_device+0x5f/0xa0
[   82.495415][ T5826]  binderfs_binder_device_create+0x8b7/0xaf0
[   82.501406][ T5826]  binderfs_fill_super+0xa0e/0xe90
[   82.506523][ T5826]  ? __pfx_binderfs_fill_super+0x10/0x10
[   82.512168][ T5826]  ? shrinker_register+0x16b/0x230
[   82.517276][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   82.522906][ T5826]  ? sget_fc+0x962/0xa40
[   82.527165][ T5826]  ? __pfx_set_anon_super_fc+0x10/0x10
[   82.532620][ T5826]  ? __pfx_binderfs_fill_super+0x10/0x10
[   82.538251][ T5826]  get_tree_nodev+0xbb/0x150
[   82.542839][ T5826]  vfs_get_tree+0x92/0x2b0
[   82.547253][ T5826]  do_new_mount+0x24a/0xa40
[   82.551762][ T5826]  __se_sys_mount+0x317/0x410
[   82.556448][ T5826]  ? __pfx___se_sys_mount+0x10/0x10
[   82.561649][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   82.567307][ T5826]  ? __x64_sys_mount+0x20/0xc0
[   82.572076][ T5826]  do_syscall_64+0xf6/0x210
[   82.576581][ T5826]  ? srso_alias_return_thunk+0x5/0xfbef5
[   82.582209][ T5826]  ? exc_page_fault+0x91/0x110
[   82.586969][ T5826]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   82.592855][ T5826] RIP: 0033:0x7f101010fd1a
[   82.597264][ T5826] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 8e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   82.616862][ T5826] RSP: 002b:00007ffed855eb58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   82.625299][ T5826] RAX: ffffffffffffffda RBX: 00007f1010158038 RCX: 00007f101010fd1a
[   82.633265][ T5826] RDX: 00007f10101581b8 RSI: 00007f1010158038 RDI: 00007f10101581b8
[   82.641228][ T5826] RBP: 00007f1010158188 R08: 0000000000000000 R09: 0000000000000140
[   82.649190][ T5826] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f101015d1dc
[   82.657154][ T5826] R13: 00007f10101580f0 R14: 0000000000000001 R15: 0000000000000001
[   82.665125][ T5826]  </TASK>
[   82.668337][ T5826] Kernel Offset: disabled
[   82.672655][ T5826] Rebooting in 86400 seconds..