last executing test programs: 2.759630068s ago: executing program 1 (id=2): mq_getsetattr(0xffffffffffffffff, &(0x7f0000000000), 0x0) 2.499276736s ago: executing program 1 (id=4): munlockall() 2.250382983s ago: executing program 1 (id=6): waitid(0x0, 0x0, 0x0, 0x0, 0x0) 2.210848474s ago: executing program 1 (id=8): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/keys', 0x0, 0x0) 639.783231ms ago: executing program 0 (id=24): shmdt(0x0) 562.254803ms ago: executing program 0 (id=25): syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) 270.933192ms ago: executing program 0 (id=26): setfsgid(0x0) 171.086234ms ago: executing program 0 (id=27): openat2(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), 0x0) 90.820947ms ago: executing program 0 (id=28): io_uring_enter(0xffffffffffffffff, 0x0, 0x0, 0x0, &(0x7f0000000000), 0x0) 0s ago: executing program 0 (id=29): socket$can_bcm(0x1d, 0x2, 0x2) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:55016' (ED25519) to the list of known hosts. syzkaller login: [ 127.002003][ T3267] cgroup: Unknown subsys name 'net' [ 127.373942][ T3267] cgroup: Unknown subsys name 'cpuset' [ 127.411787][ T3267] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 128.504567][ T3267] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 137.838709][ T3302] ================================================================== [ 137.847477][ T3302] BUG: KASAN: slab-use-after-free in binder_add_device+0x14/0x2c [ 137.849951][ T3302] Write at addr f3f0000007062608 by task syz-executor/3302 [ 137.851423][ T3302] Pointer tag: [f3], memory tag: [f5] [ 137.853338][ T3302] [ 137.854594][ T3302] CPU: 1 UID: 0 PID: 3302 Comm: syz-executor Not tainted 6.13.0-syzkaller-09196-gcd45f362fc1f #0 [ 137.855178][ T3302] Hardware name: linux,dummy-virt (DT) [ 137.855538][ T3302] Call trace: [ 137.855856][ T3302] show_stack+0x18/0x24 (C) [ 137.856314][ T3302] dump_stack_lvl+0x78/0x90 [ 137.856591][ T3302] print_report+0x108/0x618 [ 137.856797][ T3302] kasan_report+0x88/0xac [ 137.856994][ T3302] __do_kernel_fault+0x170/0x1c8 [ 137.857184][ T3302] do_tag_check_fault+0x78/0x8c [ 137.857417][ T3302] do_mem_abort+0x44/0x94 [ 137.857628][ T3302] el1_abort+0x40/0x60 [ 137.857830][ T3302] el1h_64_sync_handler+0xa4/0x120 [ 137.858037][ T3302] el1h_64_sync+0x6c/0x70 [ 137.858346][ T3302] binder_add_device+0x14/0x2c (P) [ 137.858571][ T3302] binderfs_fill_super+0x220/0x4f8 [ 137.858775][ T3302] get_tree_nodev+0x70/0xb8 [ 137.858980][ T3302] binderfs_fs_context_get_tree+0x18/0x24 [ 137.859167][ T3302] vfs_get_tree+0x28/0xec [ 137.859366][ T3302] path_mount+0x3f8/0xa78 [ 137.859578][ T3302] __arm64_sys_mount+0x1d4/0x2b4 [ 137.859777][ T3302] invoke_syscall+0x48/0x110 [ 137.860011][ T3302] el0_svc_common.constprop.0+0x40/0xe0 [ 137.860219][ T3302] do_el0_svc+0x1c/0x28 [ 137.860417][ T3302] el0_svc+0x30/0xe0 [ 137.860622][ T3302] el0t_64_sync_handler+0x10c/0x138 [ 137.860815][ T3302] el0t_64_sync+0x1a4/0x1a8 [ 137.861229][ T3302] [ 137.875999][ T3302] Allocated by task 3286: [ 137.876844][ T3302] kasan_save_stack+0x3c/0x64 [ 137.877766][ T3302] save_stack_info+0x40/0x158 SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 137.878656][ T3302] kasan_save_alloc_info+0x14/0x20 [ 137.879415][ T3302] __kasan_kmalloc+0xb4/0xb8 [ 137.880175][ T3302] __kmalloc_cache_noprof+0x174/0x390 [ 137.880883][ T3302] binderfs_binder_device_create.isra.0+0xac/0x368 [ 137.881586][ T3302] binderfs_fill_super+0x220/0x4f8 [ 137.882263][ T3302] get_tree_nodev+0x70/0xb8 [ 137.882865][ T3302] binderfs_fs_context_get_tree+0x18/0x24 [ 137.883561][ T3302] vfs_get_tree+0x28/0xec [ 137.884261][ T3302] path_mount+0x3f8/0xa78 [ 137.884973][ T3302] __arm64_sys_mount+0x1d4/0x2b4 [ 137.885674][ T3302] invoke_syscall+0x48/0x110 [ 137.886308][ T3302] el0_svc_common.constprop.0+0x40/0xe0 [ 137.887005][ T3302] do_el0_svc+0x1c/0x28 [ 137.887633][ T3302] el0_svc+0x30/0xe0 [ 137.888279][ T3302] el0t_64_sync_handler+0x10c/0x138 [ 137.888999][ T3302] el0t_64_sync+0x1a4/0x1a8 [ 137.889729][ T3302] [ 137.890215][ T3302] Freed by task 3286: [ 137.890815][ T3302] kasan_save_stack+0x3c/0x64 [ 137.891476][ T3302] save_stack_info+0x40/0x158 [ 137.892135][ T3302] kasan_save_free_info+0x18/0x24 [ 137.892807][ T3302] __kasan_slab_free+0x74/0x8c [ 137.893440][ T3302] kfree+0xfc/0x30c [ 137.894043][ T3302] binderfs_evict_inode+0xe4/0xf8 [ 137.894792][ T3302] evict+0xec/0x254 [ 137.895645][ T3302] iput+0xfc/0x1b8 [ 137.896444][ T3302] dentry_unlink_inode+0xc0/0x188 [ 137.897128][ T3302] __dentry_kill+0x7c/0x1d4 [ 137.897791][ T3302] shrink_dentry_list+0x74/0xe4 [ 137.898435][ T3302] shrink_dcache_parent+0xcc/0x14c [ 137.899110][ T3302] shrink_dcache_for_umount+0x3c/0x1c8 [ 137.899853][ T3302] generic_shutdown_super+0x24/0x100 [ 137.900588][ T3302] kill_anon_super+0x20/0x90 [ 137.901262][ T3302] kill_litter_super+0x28/0x38 [ 137.901938][ T3302] binderfs_kill_super+0x18/0x40 [ 137.902616][ T3302] deactivate_locked_super+0x50/0x12c [ 137.903339][ T3302] deactivate_super+0x84/0x9c [ 137.904086][ T3302] cleanup_mnt+0xa0/0x130 [ 137.904827][ T3302] __cleanup_mnt+0x14/0x20 [ 137.905568][ T3302] task_work_run+0x78/0xd4 [ 137.906204][ T3302] do_exit+0x2c8/0x98c [ 137.906819][ T3302] do_group_exit+0x34/0x90 [ 137.907460][ T3302] pid_child_should_wake+0x0/0x5c [ 137.908172][ T3302] invoke_syscall+0x48/0x110 [ 137.908857][ T3302] el0_svc_common.constprop.0+0xc0/0xe0 [ 137.909555][ T3302] do_el0_svc+0x1c/0x28 [ 137.910186][ T3302] el0_svc+0x30/0xe0 [ 137.910794][ T3302] el0t_64_sync_handler+0x10c/0x138 [ 137.911441][ T3302] el0t_64_sync+0x1a4/0x1a8 [ 137.912157][ T3302] [ 137.912682][ T3302] The buggy address belongs to the object at fff0000007062600 [ 137.912682][ T3302] which belongs to the cache kmalloc-192 of size 192 [ 137.914163][ T3302] The buggy address is located 8 bytes inside of [ 137.914163][ T3302] 192-byte region [fff0000007062600, fff00000070626c0) [ 137.915817][ T3302] [ 137.916487][ T3302] The buggy address belongs to the physical page: [ 137.917501][ T3302] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x47062 [ 137.918839][ T3302] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 137.920208][ T3302] page_type: f5(slab) [ 137.921288][ T3302] raw: 01ffc00000000000 f3f0000003001300 dead000000000122 0000000000000000 [ 137.922292][ T3302] raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000 [ 137.923256][ T3302] page dumped because: kasan: bad access detected [ 137.924203][ T3302] [ 137.924716][ T3302] Memory state around the buggy address: [ 137.925848][ T3302] fff0000007062400: f5 f5 f5 f5 f5 f5 f5 f5 f6 f6 f6 f6 f6 f6 f6 f6 [ 137.926736][ T3302] fff0000007062500: f6 f6 f6 f6 fc fc fc fc fc fc fc fc fc fc fc fc [ 137.927641][ T3302] >fff0000007062600: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 [ 137.928532][ T3302] ^ [ 137.929206][ T3302] fff0000007062700: f5 f5 f5 f5 f5 f5 f5 f5 f0 f0 f0 f0 f0 f0 f0 f0 [ 137.930077][ T3302] fff0000007062800: f0 f0 f0 f0 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 fe fe [ 137.931014][ T3302] ================================================================== [ 137.933360][ T3302] Disabling lock debugging due to kernel taint VM DIAGNOSIS: 20:08:20 Registers: info registers vcpu 0 CPU#0 PC=ffff800081aa4ba4 X00=0000000003b8001a X01=0000000000000004 X02=f6f0000003335ddc X03=0000000000001dc0 X04=0000000000000003 X05=000000000000000e X06=000000000000000e X07=fdf000000415089c X08=0000000000000128 X09=000000000000000f X10=f2f000000624a600 X11=0000002018943e60 X12=0000000000000001 X13=00000000000003fc X14=fcf00000066d6400 X15=0000000000000000 X16=ffff800080000000 X17=fff07ffffd143000 X18=0000000000000000 X19=faf000000637fb00 X20=fbf000000637fa00 X21=faf0000004e0c198 X22=fbf000000637fa00 X23=000000000000ffff X24=0000000000000001 X25=0000000000000004 X26=faf0000004e0c000 X27=ffff8000827a9b50 X28=0000000000000000 X29=ffff800080003330 X30=ffff8000815dc1c4 SP=ffff800080003330 PSTATE=604020c9 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6e61686300746e65:7665752f00276567 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00000000f0000000:00000000f0000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:f00ff00ff00ff00f:f00ff00ff00ff00f Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000f0000000f000:0000f0000000f000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:3003300330033003:3003300330033003 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:bcbcbc0000000003:bcbcbc0000000003 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:3000000000000000:3000000000000000 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff8000803090ac X00=0000000000000023 X01=fdf0000005aa1240 X02=0000000000000000 X03=0000000000000000 X04=0000000000000000 X05=fff000007f8e3448 X06=80000000ffffe000 X07=ffff80008288e840 X08=00000000ffffdfff X09=ffff8000827de840 X10=ffff80008288e840 X11=00000000000002f0 X12=00000000000008d0 X13=ffff8000827de840 X14=ffff800088bb3348 X15=ffff800088bb31b0 X16=ffff800080008000 X17=fff07ffffd15c000 X18=00000000ffffffff X19=ffff800088bb3840 X20=fff0000007062608 X21=f3f0000007062608 X22=0000000007062608 X23=ffff80008251b000 X24=0000000000000000 X25=fcf00000040e3cc0 X26=0000000000000002 X27=0000000000000000 X28=fdf0000005aa1240 X29=ffff800088bb3780 X30=ffff8000803090ac SP=ffff800088bb3780 PSTATE=624020c9 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6e61686300746e65:7665752f00276567 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00000000f0000000:00000000f0000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:f00ff00ff00ff00f:f00ff00ff00ff00f Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000f0000000f000:0000f0000000f000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:3003300330033003:3003300330033003 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:bcbcbc0000303003:bcbcbc0000303003 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:3000000000000000:3000000000000000 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000