last executing test programs: 10.380029168s ago: executing program 1 (id=127): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/snd/timer', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/snd/timer', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/snd/timer', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/snd/timer', 0x800, 0x0) 10.259279728s ago: executing program 1 (id=129): openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/policy', 0x0, 0x0) 10.011146709s ago: executing program 1 (id=132): socket$nl_crypto(0x10, 0x3, 0x15) 9.929975616s ago: executing program 1 (id=134): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/nullb0', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/nullb0', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/nullb0', 0x800, 0x0) 9.768528969s ago: executing program 1 (id=136): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/tlk_device', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/tlk_device', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/tlk_device', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/tlk_device', 0x800, 0x0) 9.670190388s ago: executing program 1 (id=137): msgrcv(0x0, &(0x7f0000000000), 0x0, 0x0, 0x0) 1.76048791s ago: executing program 0 (id=218): linkat(0xffffffffffffffff, &(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000000), 0x0) 1.661963929s ago: executing program 0 (id=219): futex(&(0x7f0000000000), 0x0, 0x0, &(0x7f0000000000), &(0x7f0000000000), 0x0) 1.553179748s ago: executing program 0 (id=220): syz_open_dev$amidi(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$amidi(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$amidi(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$amidi(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$amidi(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$amidi(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$amidi(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$amidi(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$amidi(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$amidi(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$amidi(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$amidi(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$amidi(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$amidi(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$amidi(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$amidi(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$amidi(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$amidi(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$amidi(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$amidi(&(0x7f0000000500), 0x4, 0x800) 1.417038389s ago: executing program 0 (id=221): getgroups(0x0, &(0x7f0000000000)) 1.41607174s ago: executing program 0 (id=222): fsopen(&(0x7f0000000000), 0x0) 0s ago: executing program 0 (id=223): mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:54929' (ED25519) to the list of known hosts. [ 115.024064][ T30] audit: type=1400 audit(114.840:46): avc: denied { name_bind } for pid=3310 comm="sshd-session" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 115.285058][ T30] audit: type=1400 audit(115.100:47): avc: denied { execute } for pid=3311 comm="sh" name="syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 115.287909][ T30] audit: type=1400 audit(115.100:48): avc: denied { execute_no_trans } for pid=3311 comm="sh" path="/syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 118.823746][ T30] audit: type=1400 audit(118.640:49): avc: denied { mounton } for pid=3311 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1868 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 118.829942][ T30] audit: type=1400 audit(118.640:50): avc: denied { mount } for pid=3311 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 118.852818][ T3311] cgroup: Unknown subsys name 'net' [ 118.867947][ T30] audit: type=1400 audit(118.680:51): avc: denied { unmount } for pid=3311 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 119.115440][ T3311] cgroup: Unknown subsys name 'cpuset' [ 119.144936][ T3311] cgroup: Unknown subsys name 'rlimit' [ 119.358581][ T30] audit: type=1400 audit(119.170:52): avc: denied { setattr } for pid=3311 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=703 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 119.361585][ T30] audit: type=1400 audit(119.180:53): avc: denied { create } for pid=3311 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 119.364635][ T30] audit: type=1400 audit(119.180:54): avc: denied { write } for pid=3311 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 119.367254][ T30] audit: type=1400 audit(119.180:55): avc: denied { module_request } for pid=3311 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 119.861069][ T3314] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 119.942448][ T3311] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 127.429928][ T30] kauditd_printk_skb: 7 callbacks suppressed [ 127.430472][ T30] audit: type=1400 audit(127.240:63): avc: denied { execmem } for pid=3315 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 127.464215][ T30] audit: type=1400 audit(127.280:64): avc: denied { read } for pid=3317 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 127.466360][ T30] audit: type=1400 audit(127.280:65): avc: denied { open } for pid=3317 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 127.479756][ T30] audit: type=1400 audit(127.290:66): avc: denied { mounton } for pid=3317 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 128.082353][ T30] audit: type=1400 audit(127.900:67): avc: denied { mount } for pid=3318 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 128.093089][ T30] audit: type=1400 audit(127.910:68): avc: denied { mounton } for pid=3318 comm="syz-executor" path="/syzkaller.vFHjmW/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 128.107145][ T30] audit: type=1400 audit(127.920:69): avc: denied { mount } for pid=3318 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 128.129839][ T30] audit: type=1400 audit(127.940:70): avc: denied { mounton } for pid=3318 comm="syz-executor" path="/syzkaller.vFHjmW/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 128.136963][ T30] audit: type=1400 audit(127.950:71): avc: denied { mounton } for pid=3318 comm="syz-executor" path="/syzkaller.vFHjmW/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=3115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 128.158139][ T30] audit: type=1400 audit(127.970:72): avc: denied { unmount } for pid=3318 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 132.616496][ T30] kauditd_printk_skb: 15 callbacks suppressed [ 132.617008][ T30] audit: type=1400 audit(132.430:88): avc: denied { read } for pid=3375 comm="syz.1.49" name="renderD128" dev="devtmpfs" ino=616 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 132.639516][ T30] audit: type=1400 audit(132.450:89): avc: denied { open } for pid=3375 comm="syz.1.49" path="/dev/dri/renderD128" dev="devtmpfs" ino=616 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 132.640007][ T30] audit: type=1400 audit(132.450:90): avc: denied { write } for pid=3375 comm="syz.1.49" name="renderD128" dev="devtmpfs" ino=616 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 132.708019][ T30] audit: type=1400 audit(132.520:91): avc: denied { create } for pid=3376 comm="syz.0.50" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 133.286204][ T30] audit: type=1400 audit(133.100:92): avc: denied { create } for pid=3383 comm="syz.1.56" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ieee802154_socket permissive=1 [ 133.659774][ T30] audit: type=1400 audit(133.470:93): avc: denied { create } for pid=3386 comm="syz.0.58" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 134.089859][ T30] audit: type=1400 audit(133.900:94): avc: denied { read } for pid=3389 comm="syz.1.61" name="ubi_ctrl" dev="devtmpfs" ino=688 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 134.090474][ T30] audit: type=1400 audit(133.900:95): avc: denied { open } for pid=3389 comm="syz.1.61" path="/dev/ubi_ctrl" dev="devtmpfs" ino=688 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 134.090918][ T30] audit: type=1400 audit(133.900:96): avc: denied { write } for pid=3389 comm="syz.1.61" name="ubi_ctrl" dev="devtmpfs" ino=688 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 134.499985][ T30] audit: type=1400 audit(134.310:97): avc: denied { read } for pid=3395 comm="syz.0.67" name="usbmon0" dev="devtmpfs" ino=697 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 138.037455][ T30] kauditd_printk_skb: 10 callbacks suppressed [ 138.040814][ T30] audit: type=1400 audit(137.840:108): avc: denied { create } for pid=3437 comm="syz.0.104" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rds_socket permissive=1 [ 138.042506][ T30] audit: type=1400 audit(137.850:109): avc: denied { create } for pid=3438 comm="syz.1.105" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=nfc_socket permissive=1 [ 139.008324][ T30] audit: type=1400 audit(138.820:110): avc: denied { read } for pid=3450 comm="syz.0.117" name="vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 139.011817][ T30] audit: type=1400 audit(138.820:111): avc: denied { open } for pid=3450 comm="syz.0.117" path="/dev/vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 139.033619][ T30] audit: type=1400 audit(138.850:112): avc: denied { write } for pid=3450 comm="syz.0.117" name="vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 140.195163][ T30] audit: type=1400 audit(140.010:113): avc: denied { create } for pid=3465 comm="syz.1.132" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_crypto_socket permissive=1 [ 140.318943][ T30] audit: type=1400 audit(140.130:114): avc: denied { read } for pid=3467 comm="syz.1.134" name="nullb0" dev="devtmpfs" ino=671 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=blk_file permissive=1 [ 140.340670][ T30] audit: type=1400 audit(140.150:115): avc: denied { open } for pid=3467 comm="syz.1.134" path="/dev/nullb0" dev="devtmpfs" ino=671 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=blk_file permissive=1 [ 140.341268][ T30] audit: type=1400 audit(140.150:116): avc: denied { write } for pid=3467 comm="syz.1.134" name="nullb0" dev="devtmpfs" ino=671 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=blk_file permissive=1 [ 140.808428][ T30] audit: type=1400 audit(140.620:117): avc: denied { write } for pid=3474 comm="syz.0.141" name="random" dev="devtmpfs" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 141.008874][ T3476] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 144.183743][ T30] kauditd_printk_skb: 3 callbacks suppressed [ 144.188370][ T30] audit: type=1400 audit(144.000:121): avc: denied { sys_module } for pid=3505 comm="syz.0.172" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 146.210660][ T30] audit: type=1400 audit(146.030:122): avc: denied { read } for pid=3529 comm="syz.0.196" name="uinput" dev="devtmpfs" ino=708 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 146.214216][ T30] audit: type=1400 audit(146.030:123): avc: denied { open } for pid=3529 comm="syz.0.196" path="/dev/uinput" dev="devtmpfs" ino=708 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 146.224355][ T30] audit: type=1400 audit(146.040:124): avc: denied { write } for pid=3529 comm="syz.0.196" name="uinput" dev="devtmpfs" ino=708 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 146.301221][ T30] audit: type=1400 audit(146.110:125): avc: denied { read write } for pid=3530 comm="syz.0.197" name="rdma_cm" dev="devtmpfs" ino=713 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:infiniband_device_t tclass=chr_file permissive=1 [ 146.303600][ T30] audit: type=1400 audit(146.120:126): avc: denied { open } for pid=3530 comm="syz.0.197" path="/dev/infiniband/rdma_cm" dev="devtmpfs" ino=713 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:infiniband_device_t tclass=chr_file permissive=1 [ 147.313210][ T30] audit: type=1400 audit(147.130:127): avc: denied { create } for pid=3540 comm="syz.0.206" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=kcm_socket permissive=1 [ 147.585819][ T3542] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 147.915056][ T30] audit: type=1400 audit(147.730:128): avc: denied { create } for pid=3546 comm="syz.0.212" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=sctp_socket permissive=1 [ 149.822475][ T30] audit: type=1400 audit(149.640:129): avc: denied { mounton } for pid=3559 comm="syz-executor" path="/syzkaller.ivBKn4/syz-tmp" dev="vda" ino=1878 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 149.832336][ T30] audit: type=1400 audit(149.650:130): avc: denied { mounton } for pid=3559 comm="syz-executor" path="/syzkaller.ivBKn4/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 149.841062][ T30] audit: type=1400 audit(149.660:131): avc: denied { mount } for pid=3559 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 149.891915][ T30] audit: type=1400 audit(149.700:132): avc: denied { mounton } for pid=3559 comm="syz-executor" path="/dev/gadgetfs" dev="devtmpfs" ino=1549 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 150.030930][ T3559] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 150.761707][ T3318] ================================================================== [ 150.762485][ T3318] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 150.763383][ T3318] Write of size 8 at addr ffff000018cc8c08 by task syz-executor/3318 [ 150.763483][ T3318] [ 150.764269][ T3318] CPU: 0 UID: 0 PID: 3318 Comm: syz-executor Not tainted 6.15.0-syzkaller-11796-g5abc7438f1e9 #0 PREEMPT [ 150.764375][ T3318] Hardware name: linux,dummy-virt (DT) [ 150.764682][ T3318] Call trace: [ 150.764885][ T3318] show_stack+0x18/0x24 (C) [ 150.765034][ T3318] dump_stack_lvl+0xa4/0xf4 [ 150.765101][ T3318] print_report+0xf4/0x60c [ 150.765147][ T3318] kasan_report+0xc8/0x108 [ 150.765185][ T3318] __asan_report_store8_noabort+0x20/0x2c [ 150.765227][ T3318] binderfs_evict_inode+0x2ac/0x2b4 [ 150.765273][ T3318] evict+0x2c0/0x67c [ 150.765316][ T3318] iput+0x3b0/0x6b4 [ 150.765373][ T3318] dentry_unlink_inode+0x208/0x46c [ 150.765410][ T3318] __dentry_kill+0x150/0x52c [ 150.765445][ T3318] shrink_dentry_list+0x114/0x3ac [ 150.765481][ T3318] shrink_dcache_parent+0x158/0x354 [ 150.765517][ T3318] shrink_dcache_for_umount+0x88/0x304 [ 150.765554][ T3318] generic_shutdown_super+0x60/0x2e8 [ 150.765593][ T3318] kill_litter_super+0x68/0xa4 [ 150.765630][ T3318] binderfs_kill_super+0x38/0x88 [ 150.765667][ T3318] deactivate_locked_super+0x98/0x17c [ 150.765705][ T3318] deactivate_super+0xb0/0xd4 [ 150.765741][ T3318] cleanup_mnt+0x198/0x424 [ 150.765778][ T3318] __cleanup_mnt+0x14/0x20 [ 150.765814][ T3318] task_work_run+0x128/0x210 [ 150.765853][ T3318] do_exit+0x5e8/0x1f6c [ 150.765893][ T3318] do_group_exit+0xa4/0x208 [ 150.765932][ T3318] get_signal+0x1b04/0x1bac [ 150.765973][ T3318] do_signal+0x160/0x6a8 [ 150.766009][ T3318] do_notify_resume+0x198/0x264 [ 150.766048][ T3318] el0_svc+0x118/0x198 [ 150.766089][ T3318] el0t_64_sync_handler+0x10c/0x138 [ 150.766132][ T3318] el0t_64_sync+0x198/0x19c [ 150.766326][ T3318] [ 150.767108][ T3318] Allocated by task 3317: [ 150.767374][ T3318] kasan_save_stack+0x3c/0x64 [ 150.767489][ T3318] kasan_save_track+0x20/0x3c [ 150.767571][ T3318] kasan_save_alloc_info+0x40/0x54 [ 150.767651][ T3318] __kasan_kmalloc+0xb8/0xbc [ 150.767727][ T3318] __kmalloc_cache_noprof+0x1b0/0x3cc [ 150.767810][ T3318] binderfs_binder_device_create.isra.0+0x150/0xa28 [ 150.767890][ T3318] binderfs_fill_super+0x69c/0xed4 [ 150.767967][ T3318] get_tree_nodev+0xac/0x148 [ 150.768044][ T3318] binderfs_fs_context_get_tree+0x18/0x24 [ 150.768121][ T3318] vfs_get_tree+0x74/0x280 [ 150.768196][ T3318] path_mount+0xe54/0x1834 [ 150.768283][ T3318] __arm64_sys_mount+0x304/0x3dc [ 150.768365][ T3318] invoke_syscall+0x6c/0x258 [ 150.768443][ T3318] el0_svc_common.constprop.0+0xac/0x230 [ 150.768521][ T3318] do_el0_svc+0x40/0x58 [ 150.768597][ T3318] el0_svc+0x50/0x198 [ 150.768675][ T3318] el0t_64_sync_handler+0x10c/0x138 [ 150.768755][ T3318] el0t_64_sync+0x198/0x19c [ 150.768865][ T3318] [ 150.768951][ T3318] Freed by task 3317: [ 150.769111][ T3318] kasan_save_stack+0x3c/0x64 [ 150.769199][ T3318] kasan_save_track+0x20/0x3c [ 150.769309][ T3318] kasan_save_free_info+0x4c/0x74 [ 150.769408][ T3318] __kasan_slab_free+0x50/0x6c [ 150.769486][ T3318] kfree+0x1bc/0x444 [ 150.769564][ T3318] binderfs_evict_inode+0x238/0x2b4 [ 150.769641][ T3318] evict+0x2c0/0x67c [ 150.769718][ T3318] iput+0x3b0/0x6b4 [ 150.769794][ T3318] dentry_unlink_inode+0x208/0x46c [ 150.769869][ T3318] __dentry_kill+0x150/0x52c [ 150.769944][ T3318] shrink_dentry_list+0x114/0x3ac [ 150.770019][ T3318] shrink_dcache_parent+0x158/0x354 [ 150.770095][ T3318] shrink_dcache_for_umount+0x88/0x304 [ 150.770171][ T3318] generic_shutdown_super+0x60/0x2e8 [ 150.770254][ T3318] kill_litter_super+0x68/0xa4 [ 150.770332][ T3318] binderfs_kill_super+0x38/0x88 [ 150.770409][ T3318] deactivate_locked_super+0x98/0x17c [ 150.770487][ T3318] deactivate_super+0xb0/0xd4 [ 150.770563][ T3318] cleanup_mnt+0x198/0x424 [ 150.770638][ T3318] __cleanup_mnt+0x14/0x20 [ 150.770714][ T3318] task_work_run+0x128/0x210 [ 150.770790][ T3318] do_exit+0x5e8/0x1f6c [ 150.770867][ T3318] do_group_exit+0xa4/0x208 [ 150.770948][ T3318] get_signal+0x1b04/0x1bac [ 150.771030][ T3318] do_signal+0x1f4/0x6a8 [ 150.771106][ T3318] do_notify_resume+0x198/0x264 [ 150.771201][ T3318] el0_svc+0x118/0x198 [ 150.771284][ T3318] el0t_64_sync_handler+0x10c/0x138 [ 150.771366][ T3318] el0t_64_sync+0x198/0x19c [ 150.771460][ T3318] [ 150.771590][ T3318] The buggy address belongs to the object at ffff000018cc8c00 [ 150.771590][ T3318] which belongs to the cache kmalloc-512 of size 512 [ 150.771739][ T3318] The buggy address is located 8 bytes inside of [ 150.771739][ T3318] freed 512-byte region [ffff000018cc8c00, ffff000018cc8e00) [ 150.771830][ T3318] [ 150.771958][ T3318] The buggy address belongs to the physical page: [ 150.772382][ T3318] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x58cc8 [ 150.772908][ T3318] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 150.773105][ T3318] anon flags: 0x1ffc00000000040(head|node=0|zone=0|lastcpupid=0x7ff) [ 150.773595][ T3318] page_type: f5(slab) [ 150.773999][ T3318] raw: 01ffc00000000040 ffff00000dc01c80 0000000000000000 dead000000000001 [ 150.774102][ T3318] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 150.774262][ T3318] head: 01ffc00000000040 ffff00000dc01c80 0000000000000000 dead000000000001 [ 150.774348][ T3318] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 150.774427][ T3318] head: 01ffc00000000002 fffffdffc0633201 00000000ffffffff 00000000ffffffff [ 150.774503][ T3318] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 150.774620][ T3318] page dumped because: kasan: bad access detected [ 150.774706][ T3318] [ 150.774785][ T3318] Memory state around the buggy address: [ 150.775118][ T3318] ffff000018cc8b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 150.775235][ T3318] ffff000018cc8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 150.775346][ T3318] >ffff000018cc8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.775443][ T3318] ^ [ 150.775582][ T3318] ffff000018cc8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.775657][ T3318] ffff000018cc8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.775798][ T3318] ================================================================== [ 150.821596][ T3318] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) VM DIAGNOSIS: 07:12:18 Registers: info registers vcpu 0 CPU#0 PC=ffff8000814543a8 X00=0000000000000000 X01=ffff800080007b40 X02=0000000000000000 X03=0000000000000003 X04=1ffff00010000f68 X05=00000000000c2000 X06=ffff00000e28a8d0 X07=3df1592f76153240 X08=0000000000000001 X09=ffff8000897d9000 X10=ffff700011a7a3e5 X11=1ffff00010000f78 X12=ffff700010000f79 X13=0000000000000000 X14=1fffe00002762c65 X15=185091ef7330d64d X16=2da400004c10ffff X17=dcc167da622e4e9b X18=ffff00001e078280 X19=ffff8000800368b8 X20=ffff800080007ba0 X21=ffff00000e289e40 X22=0000000000000000 X23=1ffff00010000f92 X24=ffff800087150000 X25=ffff80008d3d1f28 X26=1fffe000038247d2 X27=ffff0000149904b0 X28=0000000000000001 X29=ffff800080007a10 X30=ffff8000809aa02c SP=ffff8000800079e0 PSTATE=80000005 N--- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=31706f6f6c2f6b63:6f6c622f6c617574 Q02=0000000000000121:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=3303330333033303:3303330333033303 Q05=bcbcbc00bcbcbcbc:bcbcbc00bcbcbcbc Q06=0000000000000073:0000aaaaff1fe3e0 Q07=0000000000000074:0000aaaaff1fb620 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffcb69f630:0000ffffcb69f630 Q17=ffffff80ffffffd0:0000ffffcb69f600 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800081b8b588 X00=0000000000000002 X01=0000000000000000 X02=0000000000000002 X03=dfff800000000000 X04=0000000000000018 X05=ffff80008d9f79e0 X06=ffff700011b3ef3c X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff700011b3ef3c X11=1ffff00011b3ef3c X12=ffff700011b3ef3d X13=0000000000008000 X14=0000000000000000 X15=0000000000000000 X16=0000000000000000 X17=0000000000000000 X18=0000000000000000 X19=ffff00000ee05080 X20=ffff80008d4db018 X21=ffff800087b28460 X22=000000000000005b X23=dfff800000000000 X24=ffff00000ee4000f X25=0000000000000006 X26=0000000000000f01 X27=1fffe00001dc0a5a X28=ffff00000ee052d0 X29=ffff80008d9f7990 X30=ffff800081b8b814 SP=ffff80008d9f7990 PSTATE=800000c5 N--- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=00322e6f732e766c:6f73657262696c2f Q02=0000000000000000:fffffffffff00000 Q03=0000000000000000:0000000000000000 Q04=3333333333333333:3333333333333333 Q05=0000000000000000:000000000c000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000