last executing test programs:

111.243186ms ago: executing program 3 (id=4):
link(&(0x7f0000000000), &(0x7f0000000000))

79.858202ms ago: executing program 0 (id=1):
fchownat(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0)

73.503549ms ago: executing program 3 (id=5):
capget(&(0x7f0000000000), &(0x7f0000000000))

75.809µs ago: executing program 3 (id=6):
rmdir(&(0x7f0000000000))

65.668µs ago: executing program 1 (id=2):
io_submit(0x0, 0x0, &(0x7f0000000000))

32.94µs ago: executing program 0 (id=7):
chmod(&(0x7f0000000000), 0x0)

28.251µs ago: executing program 2 (id=3):
pkey_alloc(0x0, 0x0)

12.318µs ago: executing program 1 (id=8):
lsm_set_self_attr(0x0, &(0x7f0000000000), 0x0, 0x0)

0s ago: executing program 3 (id=9):
semget(0xffffffffffffffff, 0x0, 0x0)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.171' (ED25519) to the list of known hosts.
[   60.949465][ T5817] cgroup: Unknown subsys name 'net'
[   61.082435][ T5817] cgroup: Unknown subsys name 'cpuset'
[   61.090483][ T5817] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   62.440074][ T5817] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   64.159099][ T5845] ==================================================================
[   64.167202][ T5845] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[   64.174925][ T5845] Write of size 8 at addr ffff888030c08808 by task syz-executor/5845
[   64.182986][ T5845] 
[   64.185363][ T5845] CPU: 0 UID: 0 PID: 5845 Comm: syz-executor Not tainted 6.13.0-syzkaller-09147-ge2ee2e9b1590 #0
[   64.185383][ T5845] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   64.185399][ T5845] Call Trace:
[   64.185405][ T5845]  <TASK>
[   64.185415][ T5845]  dump_stack_lvl+0x116/0x1f0
[   64.185440][ T5845]  print_report+0xc3/0x620
[   64.185460][ T5845]  ? __virt_addr_valid+0x5e/0x590
[   64.185476][ T5845]  ? __phys_addr+0xc6/0x150
[   64.185491][ T5845]  kasan_report+0xd9/0x110
[   64.185516][ T5845]  ? binder_add_device+0xa4/0xb0
[   64.185533][ T5845]  ? binder_add_device+0xa4/0xb0
[   64.185551][ T5845]  binder_add_device+0xa4/0xb0
[   64.185566][ T5845]  binderfs_binder_device_create.isra.0+0x8ec/0xad0
[   64.185590][ T5845]  binderfs_fill_super+0x848/0x1240
[   64.185611][ T5845]  ? __pfx_binderfs_fill_super+0x10/0x10
[   64.185638][ T5845]  ? shrinker_register+0x1a8/0x260
[   64.185664][ T5845]  ? sget_fc+0x488/0xb90
[   64.185679][ T5845]  ? apparmor_capable+0x114/0x1d0
[   64.185703][ T5845]  ? __pfx_set_anon_super_fc+0x10/0x10
[   64.185728][ T5845]  ? __pfx_binderfs_fill_super+0x10/0x10
[   64.185746][ T5845]  get_tree_nodev+0xda/0x190
[   64.185764][ T5845]  vfs_get_tree+0x8b/0x340
[   64.185787][ T5845]  path_mount+0x6e1/0x1f00
[   64.185808][ T5845]  ? kmem_cache_free+0x2e2/0x4d0
[   64.185825][ T5845]  ? __pfx_path_mount+0x10/0x10
[   64.185845][ T5845]  ? putname+0x13c/0x180
[   64.185866][ T5845]  __x64_sys_mount+0x28f/0x310
[   64.185886][ T5845]  ? __pfx___x64_sys_mount+0x10/0x10
[   64.185905][ T5845]  ? do_user_addr_fault+0x83d/0x13f0
[   64.185928][ T5845]  do_syscall_64+0xcd/0x250
[   64.185946][ T5845]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.185970][ T5845] RIP: 0033:0x7f8c7938e54a
[   64.185988][ T5845] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   64.186003][ T5845] RSP: 002b:00007ffd6ccf0358 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   64.186019][ T5845] RAX: ffffffffffffffda RBX: 00007f8c7940e663 RCX: 00007f8c7938e54a
[   64.186030][ T5845] RDX: 00007f8c7941dda7 RSI: 00007f8c7940e663 RDI: 00007f8c7941dda7
[   64.186042][ T5845] RBP: 00007ffd6ccf03d0 R08: 0000000000000000 R09: 0000000000000000
[   64.186052][ T5845] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd6ccf03d0
[   64.186062][ T5845] R13: 00007ffd6ccf03d8 R14: 0000000000000009 R15: 0000000000000000
[   64.186077][ T5845]  </TASK>
[   64.186083][ T5845] 
[   64.423925][ T5845] Allocated by task 5827:
[   64.428242][ T5845]  kasan_save_stack+0x33/0x60
[   64.432917][ T5845]  kasan_save_track+0x14/0x30
[   64.437604][ T5845]  __kasan_kmalloc+0xaa/0xb0
[   64.442188][ T5845]  binderfs_binder_device_create.isra.0+0x17a/0xad0
[   64.448774][ T5845]  binderfs_fill_super+0x848/0x1240
[   64.453983][ T5845]  get_tree_nodev+0xda/0x190
[   64.458583][ T5845]  vfs_get_tree+0x8b/0x340
[   64.463010][ T5845]  path_mount+0x6e1/0x1f00
[   64.467428][ T5845]  __x64_sys_mount+0x28f/0x310
[   64.472188][ T5845]  do_syscall_64+0xcd/0x250
[   64.476706][ T5845]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.482598][ T5845] 
[   64.484929][ T5845] Freed by task 5827:
[   64.488914][ T5845]  kasan_save_stack+0x33/0x60
[   64.493588][ T5845]  kasan_save_track+0x14/0x30
[   64.498258][ T5845]  kasan_save_free_info+0x3b/0x60
[   64.503281][ T5845]  __kasan_slab_free+0x51/0x70
[   64.508041][ T5845]  kfree+0x2c4/0x4d0
[   64.511929][ T5845]  binderfs_evict_inode+0x1e0/0x250
[   64.517121][ T5845]  evict+0x409/0x960
[   64.521013][ T5845]  iput+0x52a/0x890
[   64.524840][ T5845]  dentry_unlink_inode+0x29c/0x480
[   64.529968][ T5845]  __dentry_kill+0x1d0/0x600
[   64.534552][ T5845]  shrink_dentry_list+0x140/0x5d0
[   64.539594][ T5845]  shrink_dcache_parent+0xe2/0x530
[   64.544723][ T5845]  shrink_dcache_for_umount+0xa1/0x3e0
[   64.550185][ T5845]  generic_shutdown_super+0x6c/0x390
[   64.555468][ T5845]  kill_litter_super+0x70/0xa0
[   64.560243][ T5845]  binderfs_kill_super+0x3b/0xa0
[   64.565196][ T5845]  deactivate_locked_super+0xbe/0x1a0
[   64.570579][ T5845]  deactivate_super+0xde/0x100
[   64.575368][ T5845]  cleanup_mnt+0x222/0x450
[   64.579777][ T5845]  task_work_run+0x14e/0x250
[   64.584365][ T5845]  do_exit+0xad8/0x2d70
[   64.588536][ T5845]  do_group_exit+0xd3/0x2a0
[   64.593053][ T5845]  get_signal+0x2576/0x2610
[   64.597566][ T5845]  arch_do_signal_or_restart+0x90/0x7e0
[   64.603109][ T5845]  syscall_exit_to_user_mode+0x150/0x2a0
[   64.608732][ T5845]  do_syscall_64+0xda/0x250
[   64.613245][ T5845]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.619148][ T5845] 
[   64.621469][ T5845] The buggy address belongs to the object at ffff888030c08800
[   64.621469][ T5845]  which belongs to the cache kmalloc-512 of size 512
[   64.635559][ T5845] The buggy address is located 8 bytes inside of
[   64.635559][ T5845]  freed 512-byte region [ffff888030c08800, ffff888030c08a00)
[   64.649264][ T5845] 
[   64.651580][ T5845] The buggy address belongs to the physical page:
[   64.657995][ T5845] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x30c08
[   64.666747][ T5845] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   64.675236][ T5845] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   64.682868][ T5845] page_type: f5(slab)
[   64.686840][ T5845] raw: 00fff00000000040 ffff88801b041c80 dead000000000100 dead000000000122
[   64.695412][ T5845] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   64.704071][ T5845] head: 00fff00000000040 ffff88801b041c80 dead000000000100 dead000000000122
[   64.712731][ T5845] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   64.721401][ T5845] head: 00fff00000000002 ffffea0000c30201 ffffffffffffffff 0000000000000000
[   64.730063][ T5845] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   64.738725][ T5845] page dumped because: kasan: bad access detected
[   64.745137][ T5845] page_owner tracks the page as allocated
[   64.751356][ T5845] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5219, tgid 5219 (udevadm), ts 27285462797, free_ts 25233731093
[   64.772632][ T5845]  post_alloc_hook+0x181/0x1b0
[   64.777670][ T5845]  get_page_from_freelist+0xfce/0x2f80
[   64.783143][ T5845]  __alloc_frozen_pages_noprof+0x221/0x2470
[   64.789059][ T5845]  alloc_pages_mpol+0x1fc/0x540
[   64.793994][ T5845]  new_slab+0x23d/0x330
[   64.798156][ T5845]  ___slab_alloc+0xbfa/0x1600
[   64.802822][ T5845]  __slab_alloc.constprop.0+0x56/0xb0
[   64.808283][ T5845]  __kmalloc_cache_noprof+0xf6/0x420
[   64.813573][ T5845]  kernfs_fop_open+0x28b/0xdb0
[   64.818334][ T5845]  do_dentry_open+0x735/0x1c40
[   64.823109][ T5845]  vfs_open+0x82/0x3f0
[   64.827176][ T5845]  path_openat+0x1e88/0x2d80
[   64.831755][ T5845]  do_filp_open+0x20c/0x470
[   64.836333][ T5845]  do_sys_openat2+0x17a/0x1e0
[   64.841005][ T5845]  __x64_sys_openat+0x175/0x210
[   64.845871][ T5845]  do_syscall_64+0xcd/0x250
[   64.850375][ T5845] page last free pid 5206 tgid 5206 stack trace:
[   64.856696][ T5845]  free_frozen_pages+0x6db/0xfb0
[   64.861640][ T5845]  qlist_free_all+0x4e/0x120
[   64.866222][ T5845]  kasan_quarantine_reduce+0x195/0x1e0
[   64.871858][ T5845]  __kasan_slab_alloc+0x69/0x90
[   64.876706][ T5845]  __kmalloc_noprof+0x1d1/0x4f0
[   64.881579][ T5845]  kernfs_fop_write_iter+0x223/0x500
[   64.886871][ T5845]  vfs_write+0x5ae/0x1150
[   64.891189][ T5845]  ksys_write+0x12b/0x250
[   64.895594][ T5845]  do_syscall_64+0xcd/0x250
[   64.900180][ T5845]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.906077][ T5845] 
[   64.908401][ T5845] Memory state around the buggy address:
[   64.914103][ T5845]  ffff888030c08700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.922154][ T5845]  ffff888030c08780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.930201][ T5845] >ffff888030c08800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.938358][ T5845]                       ^
[   64.942685][ T5845]  ffff888030c08880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.950742][ T5845]  ffff888030c08900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   64.958792][ T5845] ==================================================================
[   64.977984][ T5845] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   64.985209][ T5845] CPU: 0 UID: 0 PID: 5845 Comm: syz-executor Not tainted 6.13.0-syzkaller-09147-ge2ee2e9b1590 #0
[   64.995913][ T5845] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   65.005971][ T5845] Call Trace:
[   65.009234][ T5845]  <TASK>
[   65.012149][ T5845]  dump_stack_lvl+0x3d/0x1f0
[   65.016726][ T5845]  panic+0x71d/0x800
[   65.020614][ T5845]  ? __pfx_panic+0x10/0x10
[   65.025012][ T5845]  ? irqentry_exit+0x3b/0x90
[   65.029600][ T5845]  ? lockdep_hardirqs_on+0x7c/0x110
[   65.034824][ T5845]  ? preempt_schedule_thunk+0x1a/0x30
[   65.040216][ T5845]  ? preempt_schedule_common+0x44/0xc0
[   65.045790][ T5845]  ? check_panic_on_warn+0x1f/0xb0
[   65.051014][ T5845]  check_panic_on_warn+0xab/0xb0
[   65.055975][ T5845]  end_report+0x117/0x180
[   65.060328][ T5845]  kasan_report+0xe9/0x110
[   65.064766][ T5845]  ? binder_add_device+0xa4/0xb0
[   65.069728][ T5845]  ? binder_add_device+0xa4/0xb0
[   65.074708][ T5845]  binder_add_device+0xa4/0xb0
[   65.079459][ T5845]  binderfs_binder_device_create.isra.0+0x8ec/0xad0
[   65.086066][ T5845]  binderfs_fill_super+0x848/0x1240
[   65.091263][ T5845]  ? __pfx_binderfs_fill_super+0x10/0x10
[   65.096896][ T5845]  ? shrinker_register+0x1a8/0x260
[   65.102093][ T5845]  ? sget_fc+0x488/0xb90
[   65.106320][ T5845]  ? apparmor_capable+0x114/0x1d0
[   65.111348][ T5845]  ? __pfx_set_anon_super_fc+0x10/0x10
[   65.116813][ T5845]  ? __pfx_binderfs_fill_super+0x10/0x10
[   65.122437][ T5845]  get_tree_nodev+0xda/0x190
[   65.127187][ T5845]  vfs_get_tree+0x8b/0x340
[   65.131593][ T5845]  path_mount+0x6e1/0x1f00
[   65.136010][ T5845]  ? kmem_cache_free+0x2e2/0x4d0
[   65.140935][ T5845]  ? __pfx_path_mount+0x10/0x10
[   65.145787][ T5845]  ? putname+0x13c/0x180
[   65.150018][ T5845]  __x64_sys_mount+0x28f/0x310
[   65.154771][ T5845]  ? __pfx___x64_sys_mount+0x10/0x10
[   65.160040][ T5845]  ? do_user_addr_fault+0x83d/0x13f0
[   65.165327][ T5845]  do_syscall_64+0xcd/0x250
[   65.169816][ T5845]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   65.175698][ T5845] RIP: 0033:0x7f8c7938e54a
[   65.180100][ T5845] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   65.199782][ T5845] RSP: 002b:00007ffd6ccf0358 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   65.208266][ T5845] RAX: ffffffffffffffda RBX: 00007f8c7940e663 RCX: 00007f8c7938e54a
[   65.216252][ T5845] RDX: 00007f8c7941dda7 RSI: 00007f8c7940e663 RDI: 00007f8c7941dda7
[   65.224231][ T5845] RBP: 00007ffd6ccf03d0 R08: 0000000000000000 R09: 0000000000000000
[   65.232200][ T5845] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd6ccf03d0
[   65.240161][ T5845] R13: 00007ffd6ccf03d8 R14: 0000000000000009 R15: 0000000000000000
[   65.248132][ T5845]  </TASK>
[   65.251462][ T5845] Kernel Offset: disabled
[   65.255870][ T5845] Rebooting in 86400 seconds..